CVE-2013-1349
published 2013-12-09CVE-2013-1349: Eval injection vulnerability in ajax.php in openSIS 4.5 through 5.2 allows remote attackers to execute arbitrary PHP code via the modname parameter.
PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
23.32%
97.5th percentile
Eval injection vulnerability in ajax.php in openSIS 4.5 through 5.2 allows remote attackers to execute arbitrary PHP code via the modname parameter.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| os4ed | opensis | — | — |
| os4ed | opensis | — | — |
| os4ed | opensis | — | — |
| os4ed | opensis | — | — |
| os4ed | opensis | — | — |
| os4ed | opensis | — | — |
| os4ed | opensis | — | — |
| os4ed | opensis | — | — |
| os4ed | opensis | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to ajax.php containing a 'modname' parameter with a '?' character, which is the trigger condition for the eval() code path. ↗
- →Detect the exploit payload pattern in the modname parameter: presence of single-quote, semicolon, PHP function names (system/exec/shell_exec/passthru), and base64_decode() in a single POST body value. ↗
- →Flag POST requests to ajax.php where the modname parameter contains PHP execution functions: exec, shell_exec, passthru, or system combined with base64_decode. ↗
- →The exploit requires prior authentication; correlate suspicious ajax.php POST requests with a preceding successful login POST to index.php with USERNAME and PASSWORD parameters. ↗
- →The Metasploit module sets a randomly generated PHPSESSID cookie; however, the response body containing 'hacking_log' (case-insensitive) is used to confirm successful payload delivery and can be used as a detection string. ↗
- ·Exploitation requires valid credentials for an OpenSIS account; unauthenticated exploitation is not possible with this vector. ↗
- ·The default Metasploit TARGETURI is '/opensis/'; installations at non-default paths will require adjusted detection rules. ↗
- ·Affected versions are 4.5 through 5.2 only; verify the installed OpenSIS version before applying detection rules to avoid false positives on patched instances. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
OpenSIS 'modname' - PHP Code Execution (Metasploit)
exploitdb·2013-12-24
CVE-2013-1349 OpenSIS 'modname' - PHP Code Execution (Metasploit)
OpenSIS 'modname' - PHP Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "OpenSIS 'modname' PHP Code Execution",
'Description' => %q{
This module exploits a PHP code execution vulnerability in OpenSIS
versions 4.5 to 5.2 which allows any authenticated user to execute
arbitrary PHP code under the context of the web-server user.
The 'ajax.php' file calls 'eval()' with user controlled data from
the 'modname' parameter.
},
'License' => MSF_LICENSE,
'Author' =>
[
'EgiX', # Discovery
'Brendan Coles ' # msf exploit
],
'References' =>
[
['CVE', '2013-1349'],
['OSVDB', '100676'],
['URL', 'http://karmainsecurity.com/KIS-2013-10'],
['URL', 'ht
Metasploit
OpenSIS 'modname' PHP Code Execution
metasploit
OpenSIS 'modname' PHP Code Execution
OpenSIS 'modname' PHP Code Execution
This module exploits a PHP code execution vulnerability in OpenSIS versions 4.5 to 5.2 which allows any authenticated user to execute arbitrary PHP code under the context of the web-server user. The 'ajax.php' file calls 'eval()' with user controlled data from the 'modname' parameter.
No writeups or analysis indexed.
http://karmainsecurity.com/KIS-2013-10http://secunia.com/advisories/55913http://sourceforge.net/p/opensis-ce/bugs/59/http://sourceforge.net/p/opensis-ce/code/1009http://karmainsecurity.com/KIS-2013-10http://secunia.com/advisories/55913http://sourceforge.net/p/opensis-ce/bugs/59/http://sourceforge.net/p/opensis-ce/code/1009
2013-12-09
Published