PT-2017-18703 · Playsms · Playsms

Touhid M. Shaikh

Published

2017-05-21

Updated

2018-05-11

CVE-2017-9101

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions PlaySMS version 1.4

Description The issue allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the name of a file, specifically in the import.php feature, also known as the Phonebook import feature.

Recommendations For PlaySMS version 1.4, consider disabling the import.php feature, specifically the Phonebook import functionality, until a patch is available to prevent potential remote code execution. Restrict access to the import.php file to minimize the risk of exploitation. Avoid using the User-Agent HTTP header with malicious PHP code in the file name to prevent remote code execution.

Exploit

Fix

RCE

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2017-9101

Affected Products

Playsms

PT-2017-18703 · Playsms · Playsms

CVE-2017-9101

Weakness Enumeration

Related Identifiers

Affected Products

References · 7