CVE-2013-7387
published 2014-06-02CVE-2013-7387: Session fixation vulnerability in DataLife Engine (DLE) 9.7 and earlier allows remote attackers to hijack web sessions via the PHPSESSID cookie.
PriorityP341medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
4.96%
91.1th percentile
Session fixation vulnerability in DataLife Engine (DLE) 9.7 and earlier allows remote attackers to hijack web sessions via the PHPSESSID cookie.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dleviet | datalife_engine | <= 9.7 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
DataLife Engine - 'preview.php' PHP Code Injection (Metasploit)
exploitdb·2013-02-01
CVE-2013-7387 DataLife Engine - 'preview.php' PHP Code Injection (Metasploit)
DataLife Engine - 'preview.php' PHP Code Injection (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'DataLife Engine preview.php PHP Code Injection',
'Description' => %q{
This module exploits a PHP code injection vulnerability DataLife Engine 9.7.
The vulnerability exists in preview.php, due to an insecure usage of preg_replace()
with the e modifier, which allows to inject arbitrary php code, when the template
in use contains a [catlist] or [not-catlist] tag.
},
'Author' =>
[
'EgiX', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'L
Exploit-DB
DataLife Engine 9.7 - 'preview.php' PHP Code Injection
exploitdb·2013-01-28·CVSS 7.5
CVE-2013-7387 [HIGH] DataLife Engine 9.7 - 'preview.php' PHP Code Injection
DataLife Engine 9.7 - 'preview.php' PHP Code Injection
---
DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability
[-] Software Link:
http://dleviet.com/
[-] Affected Version:
9.7 only.
[-] Vulnerability Description:
The vulnerable code is located in the /engine/preview.php script:
246. $c_list = implode (',', $_REQUEST['catlist']);
247.
248. if( strpos( $tpl->copy_template, "[catlist=" ) !== false ) {
249. $tpl->copy_template = preg_replace( "#\\[catlist=(.+?)\\](.*?)\\[/catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}')", $tpl->copy_template );
250. }
251.
252. if( strpos( $tpl->copy_template, "[not-catlist=" ) !== false ) {
253. $tpl->copy_template = preg_replace( "#\\[not-catlist=(.+?)\\](.*?)\\[/not-catlist\\]#ies", "check_category('\\1', '\\2', '{$c_lis
No writeups or analysis indexed.
2014-06-02
Published