An issue was discovered in rConfig 3.9.3. A remote authenticated user can directly execute system commands by sending a GET request to ajaxArchiveFiles.php because the path parameter is passed to the exec function without filtering, which can lead to command execution.
References
Link | Resource |
---|---|
https://github.com/v1k1ngfr | Exploit Third Party Advisory |
https://raw.githubusercontent.com/v1k1ngfr/exploits/master/rconfig_exploit.py?token= | Broken Link |
https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2019-19509.py | Exploit Third Party Advisory |
http://packetstormsecurity.com/files/156146/rConfig-3.9.3-Remote-Code-Execution.html | Exploit Third Party Advisory VDB Entry |
http://packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.html | Exploit Third Party Advisory VDB Entry |
http://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.html | Exploit Third Party Advisory VDB Entry |
Configurations
Information
Published : 2020-01-06 12:15
Updated : 2023-01-31 12:39
NVD link : CVE-2019-19509
Mitre link : CVE-2019-19509
JSON object : View
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Products Affected
rconfig
- rconfig