PT-2018-9230 · Security Onion Solutions · Squert

Jeffrey Medsger

Published

2018-02-09

Updated

2018-03-01

CVE-2018-1000043

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Security Onion Solutions Squert versions 1.0.1 through 1.6.7

Description: The issue is related to an OS Command Injection vulnerability. It can be exploited via a web request to the "/inc/callback.php" endpoint with a payload in the txdata parameter, used in tx() or transcript(), or the catdata parameter, used in cat(). This can result in the execution of OS commands.

Recommendations: For versions 1.0.1 through 1.6.7, update to version 1.7.0 to resolve the issue. As a temporary workaround, consider restricting access to the "/inc/callback.php" endpoint and avoiding the use of the txdata and catdata parameters until the update is applied.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2018-1000043

Affected Products

Squert

PT-2018-9230 · Security Onion Solutions · Squert

CVE-2018-1000043

Weakness Enumeration

Related Identifiers

Affected Products

References · 3