The cyber security expert Mohammad Askar has discovered two critical remote code execution vulnerabilities in the
One of the exploits could be exploited by a remote, unauthenticated attacker to compromise targeted servers, and connected network devices.
The first vulnerability, tracked as CVE-2019-16662, resides in the ajaxServerSettingsChk.php, it can be exploited by a remote, unauthenticated attacker.
“As we can see in line #2 the scripts save a GET request called ‘
“So we just need to inject our command and escape the string on line #13 to get our command executed, and to do that we can use the following payload:” 1
The researchers wrote a simple python code to exploit this vulnerability.
The second RCE, tracked as CVE-2019-16663, resides in the search
The expert wrote a python code to exploit also this vulnerability:
An attacker could access the vulnerable files with a malformed GET parameter designed to execute malicious OS commands on the targeted server.
The researchers that
discovered that the second RCE vulnerability could also be also exploited by an
“A few days ago, Askar disclosed his finding after 35 days
Askar reported the two vulnerabilities to the