cbcvebase.
CVE-2013-7392
published 2014-07-22

CVE-2013-7392: Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

PriorityP264high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
8.48%
94.3th percentile
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

Detection & IOCsextracted from sources · hover to see the quote

path/cache/x.php
otherPD9zeXN0ZW0oJF9HRVRbJ2NtZCddKTs/Pgo=
commandecho${IFS}<base64_payload>|base64${IFS}--decode
  • Monitor web server logs for POST/GET requests to /cache/x.php, which is the dropped webshell path used by the exploit.
  • Detect the base64-encoded PHP webshell payload string 'PD9zeXN0ZW0oJF9HRVRbJ2NtZCddKTs/Pgo=' appearing in HTTP request URIs, which decodes to a system() shell.
  • Flag use of ${IFS} as a space-bypass technique in HTTP request URIs targeting Gitlist blame endpoints, a characteristic evasion used by the Metasploit module.
  • ·The exploit targets specifically Gitlist version 0.4.0; the vulnerability is in the blame handler's failure to sanitize filenames containing shell metacharacters.
  • ·The exploit requires knowledge of a writable cache path on the target server to drop the webshell; the path is passed as a command-line argument.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.