cbcvebase.
CVE-2014-8791
published 2014-12-02

CVE-2014-8791: project/register.php in Tuleap before 7.7, when sys_create_project_in_one_step is disabled, allows remote authenticated users to conduct PHP object injection…

PriorityP350medium6CVSS 2.0
AVNACMAuSCPIPAP
EXPLOIT
EPSS
14.77%
96.3th percentile
project/register.php in Tuleap before 7.7, when sys_create_project_in_one_step is disabled, allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via the data parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
enaleantuleap

Detection & IOCsextracted from sources · hover to see the quote

pathsrc/www/project/register.php
path/project/register.php
bytes
O:6:"Jabbex":2:{S:15:"\00Jabbex\00handler";O:12:"EventHandler":1:{S:27:"\00EventHandler\00authenticated";b:1;}
  • Monitor POST requests to /project/register.php containing a 'data' parameter with PHP serialized object strings (beginning with 'O:' notation), particularly referencing class names 'Jabbex' or 'EventHandler'.
  • Detect HTTP requests to /project/register.php that include a custom 'payload' header containing Base64-encoded content, which is the exploit's mechanism for delivering PHP code to be eval()'d.
  • Alert on POST requests to /account/login.php followed immediately by POST requests to /project/register.php from the same session/IP, as this is the exploit's two-step login-then-inject pattern.
  • The exploit chain abuses the Jabbex destructor → Jabber call_user_func_array() → Transition_PostAction_FieldFactory fetchPostActions() → eval() call chain; look for eval() execution traces originating from register.php in PHP error/audit logs.
  • This vulnerability is only exploitable when 'sys_create_project_in_one_step' is disabled; confirm this configuration state when triaging alerts on affected Tuleap <= 7.6-4 instances.
  • ·The vulnerability requires the attacker to be authenticated; unauthenticated exploitation is not possible. Detection rules should account for valid session cookies being present on the malicious POST to /project/register.php.
  • ·The vulnerability is only triggerable when the 'sys_create_project_in_one_step' configuration option is disabled. Instances with this option enabled are not affected and should not generate true-positive alerts.
  • ·The Metasploit module targets Tuleap <= 7.6-4 over SSL (port 443 by default). Network-layer detections should account for TLS-encrypted traffic; payload inspection requires SSL inspection to be effective.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.