PT-2017-5797 · Eyou · Eyou Mail System

Conqu3R.Zeng

Published

2017-10-24

Updated

2019-12-11

CVE-2014-1203

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: Eyou Mail System versions prior to 3.6

Description: The issue allows remote attackers to execute arbitrary commands via shell metacharacters in the domain parameter to the "/admin/domain/ip login set/d ip login get.php" API endpoint. This is due to a flaw in the get login ip config file function.

Recommendations: For versions prior to 3.6, consider disabling the get login ip config file function until a patch is available. Restrict access to the "/admin/domain/ip login set/d ip login get.php" API endpoint to minimize the risk of exploitation. Avoid using the domain parameter in the affected API endpoint until the issue is resolved.

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

CVE-2014-1203

Affected Products

Eyou Mail System

PT-2017-5797 · Eyou · Eyou Mail System

CVE-2014-1203

Weakness Enumeration

Related Identifiers

Affected Products

References · 2