Summary

Acunetix 360 identified that code execution via WebDAV. Acunetix 360 successfully uploaded a file via PUT method and then renamed this file via MOVE method. When requesting the file, code is executed in the context of the web server. At the end of the attack, Acunetix 360 tried to delete the file.

Impact

An attacker can execute malicious code by abusing the Code Execution via WebDAV vulnerability on the server.

Remediation

Remove write permissions from this directory or disable WebDAV if it's not being used.

Required Skills for Successful Exploitation

This vulnerability is not difficult to leverage. Successful exploitation requires knowledge of the programming language, access to or the ability to produce source code for use in such attacks, and minimal attack skills.

Severity

Critical

Classification

PCI v3.2-6.5.8 CAPEC-17 CWE-94 HIPAA-164.306(a) 164.308(a) ISO27001-A.14.2.5 WASC-17 OWASP 2017-A6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H