The cyber security expert Mohammad Askar has discovered two critical remote code execution vulnerabilities in the
One of the exploits could be exploited by a remote, unauthenticated attacker to compromise targeted servers, and connected network devices.
The first vulnerability, tracked as CVE-2019-16662, resides in the ajaxServerSettingsChk.php, it can be exploited by a remote, unauthenticated attacker.
“As we can see in line #2 the scripts save a GET request called ‘
“So we just need to inject our command and escape the string on line #13 to get our command executed, and to do that we can use the following payload:” 1
The researchers wrote a simple python code to exploit this vulnerability.
The second RCE, tracked as CVE-2019-16663, resides in the search
The expert wrote a python code to exploit also this vulnerability:
An attacker could access the vulnerable files with a malformed GET parameter designed to execute malicious OS commands on the targeted server.
The researchers that
discovered that the second RCE vulnerability could also be also exploited by an
“A few days ago, Askar disclosed his finding after 35 days
Askar reported the two vulnerabilities to the
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.