cbcvebase.
CVE-2014-5470
published 2024-06-21

CVE-2014-5470: Actual Analyzer through 2014-08-29 allows code execution via shell metacharacters because untrusted input is used for part of the input data passed to an eval…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.01%
95.0th percentile
Actual Analyzer through 2014-08-29 allows code execution via shell metacharacters because untrusted input is used for part of the input data passed to an eval operation.

Detection & IOCsextracted from sources · hover to see the quote

cookieant=<cmd>
path/lite/aa.php
cookieanw=<random>.`$cot`
cookieanm=<random>.`$cot`
path/lite/view.php
path/lite/admin.php
path/lite/code.php
  • Detect exploitation attempts by monitoring HTTP requests to aa.php that include an 'ant' cookie with shell metacharacters (backticks, semicolons, pipe characters, etc.).
  • Flag HTTP requests to aa.php with the 'anp' GET parameter combined with suspicious 'ant', 'anw', or 'anm' cookie values containing backtick or command-substitution patterns.
  • A successful exploit response returns HTTP 302 with a Content-Type header matching 'image'; alert on this response pattern from aa.php following a request with shell-metacharacter cookies.
  • Monitor for unauthenticated POST requests to view.php with the parameter 'act=vis_grpg' and 'grpg=201', which is used by the exploit to enumerate monitored hostnames prior to payload delivery.
  • The exploit falls back to targeting '127.0.0.1' and 'localhost' as analytics hosts; requests to aa.php with anp=127.0.0.1 or anp=localhost alongside suspicious cookies are strong indicators of exploitation.
  • ·The default TARGETURI is '/lite/', so all vulnerable paths are relative to this base; deployments under a different base path will have different absolute URLs for aa.php, view.php, admin.php, and code.php.
  • ·The exploit requires a valid hostname or IP that is actively monitored by ActualAnalyzer (the 'anp' parameter); if no monitored host is found automatically, exploitation will fail unless ANALYZER_HOST is set manually.
  • ·The vulnerability affects ActualAnalyzer version 2.81 and prior; the module was tested on versions 2.81 and 2.75 on Ubuntu.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.