W-CMS 2.0.1 Remote Code Execution Network Vulnerability

Summary

w-CMS is prone to a remote code execution vulnerability.

Impact

Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the user running the affected application. Impact Level: Application

Solution

Ask the Vendor for an update.

Insight

Input passed to userFunctions.php is not properly sanitized.

Affected

w-CMS 2.0.1 is vulnerable other versions may also be affected.

Detection

Send a HTTP POST request which execute the phpinfo() command and check the response if it was successfull.

References

http://packetstormsecurity.com/files/122833/w-CMS-2.0.1-Remote-Code-Execution.html

Updated on 2017-03-28

Severity

Classification

CVSS Base Score: 8.5
AV:N/AC:L/Au:N/C:C/I:P/A:N

Related Vulnerabilities

'research_display.php' SQL Injection Vulnerability
AlienVault OSSIM SQL Injection and Remote Code Execution Vulnerabilities
Apple Safari RSS Feed Information Disclosure Vulnerability
AlienVault OSSIM Multiple Remote Code Execution Vulnerabilities
AlienVault OSSIM 'date_from' Parameter Multiple SQL Injection Vulnerabilities

w-CMS 2.0.1 Remote Code Execution

Take action and discover your vulnerabilities