cbcvebase.
CVE-2008-0175
published 2008-01-29

CVE-2008-0175: Unrestricted file upload vulnerability in GE Fanuc Proficy Real-Time Information Portal 2.6 and earlier allows remote attackers to execute arbitrary code by…

PriorityP259high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
15.44%
96.4th percentile
Unrestricted file upload vulnerability in GE Fanuc Proficy Real-Time Information Portal 2.6 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension to the main virtual directory.

Affected

1 ranges
VendorProductVersion rangeFixed in
ge_fanucproficy_real-time_information_portal<= 2.6

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<RHOST>/infoAgentSrv/iFixWeb
path/infoAgentSrv/iFixWeb
filenamejspshell.jsp
path/infoAgentSrv/jspshell.jsp
commandGET /infoAgentSrv/jspshell.jsp?cmd=c:\pwn.exe HTTP/1.0
  • Monitor HTTP requests to /infoAgentSrv/iFixWeb for SOAP calls invoking the writeFile() API method, particularly attempts to upload files with executable extensions (e.g., .jsp, .exe, .asp).
  • Alert on HTTP GET requests to /infoAgentSrv/ containing a 'cmd=' query parameter, which indicates webshell command execution following successful exploitation.
  • Detect unrestricted file upload to the main virtual directory of GE Fanuc Proficy Real-Time Information Portal; any uploaded file with an executable extension (.jsp, .asp, .exe, etc.) should trigger an alert.
  • Inspect SOAP traffic targeting the SOAP namespace 'urn:iFixWeb' for invocations of the writeFile() method from unauthenticated or anomalous sources.
  • ·The exploit targets GE Fanuc Proficy Real-Time Information Portal version 2.6 and earlier; versions beyond 2.6 may not be affected.
  • ·The Metasploit module requires the httpaccess2 Ruby library (soap/rpc/driver) to function; absence of this dependency will prevent exploitation via this specific module.
  • ·The exploit payload space is constrained to 4000 bytes for the targeted platform.
  • ·The exploit targets the Windows platform only, as indicated by the module's platform declaration.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.