ZeroShell 2.0RC2 File Disclosure / Command Execution Network Vulnerability

Summary

ZeroShell is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

Impact

An attacker can exploit this vulnerability to view files or execute arbitrary script code in the context of the web server process. This may aid in further attacks. Impact Level: Application

Solution

Updates are available.

Insight

Input to the 'Object' value in /cgi-bin/kerbynet is not properly sanitized

Affected

ZeroShell version 2.0RC2 is vulnerable other versions may also be affected.

Detection

Send a GET request which tries to include /etc/passwd and check the response.

References

http://packetstormsecurity.com/files/122799/ZeroShell-2.0RC2-File-Disclosure-Command-Execution.html

Updated on 2015-03-25

Severity

Classification

CVSS Base Score: 7.8
AV:N/AC:L/Au:N/C:C/I:N/A:N

Related Vulnerabilities

Arkeia Appliance Multiple Vulnerabilities
ApPHP MicroBlog Remote Code Execution Vulnerability
ATutor < 1.5.1-pl1 Multiple Flaws
Acidcat CMS Multiple Vulnerabilities
Athena Web Registration remote command execution flaw

Take action and discover your vulnerabilities