PT-2019-14749 · Rconfig · Rconfig
Askar
·
Published
2019-10-26
·
Updated
2019-11-19
·
CVE-2019-16663
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
rConfig version 3.9.2
Description
An issue allows an attacker to directly execute system commands by sending a GET request to "search.crud.php" because the
catCommand parameter is passed to the exec function without filtering, which can lead to command execution.Recommendations
For rConfig version 3.9.2, as a temporary workaround, consider restricting access to the "search.crud.php" endpoint or filtering the
catCommand parameter to prevent command execution until a patch is available.Exploit
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Rconfig