cbcvebase.
CVE-2014-8998
published 2014-11-20

CVE-2014-8998: lib/message.php in X7 Chat 2.0.0 through 2.0.5.1 allows remote authenticated users to execute arbitrary PHP code via a crafted HTTP header to index.php, which…

PriorityP354medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
36.83%
98.3th percentile
lib/message.php in X7 Chat 2.0.0 through 2.0.5.1 allows remote authenticated users to execute arbitrary PHP code via a crafted HTTP header to index.php, which is processed by the preg_replace function with the eval switch.

Affected

10 ranges
VendorProductVersion rangeFixed in
x7chatx7_chat
x7chatx7_chat
x7chatx7_chat
x7chatx7_chat
x7chatx7_chat
x7chatx7_chat
x7chatx7_chat
x7chatx7_chat
x7chatx7_chat
x7chatx7_chat

Detection & IOCsextracted from sources · hover to see the quote

pathlib/message.php
path/x7chat2/index.php
commandwww.{${eval(base64_decode($_SERVER[HTTP_<RAND>]))}}.c<RAND>
  • Detect GET requests to index.php with act=user_cp or act=usercp, cp_page=msgcenter, and a 'to', 'subject', and 'body' parameter where the body contains a preg_replace /e eval injection pattern such as '${eval(base64_decode($_SERVER[HTTP_...]))}'.
  • Detect HTTP requests to index.php with act=user_cp/usercp&cp_page=msgcenter&read=<id> that also carry an anomalous custom HTTP header containing a base64-encoded payload (used to deliver the PHP code via $_SERVER[HTTP_<RAND>]).
  • Alert on authentication cookies X7C2U and X7C2P (MD5-hashed password) appearing in requests to index.php alongside message-center actions, as this is the session mechanism used by the exploit.
  • The exploit checks for successful code execution by looking for 'This program makes use of the Zend' in the response body (phpinfo() output); alert on this string appearing in HTTP responses from the X7 Chat application.
  • The vulnerability is triggered via a crafted HTTP header processed by preg_replace() with the /e (eval) modifier in lib/message.php; monitor for preg_replace /e usage or PHP eval execution originating from message.php in application logs.
  • ·Exploit requires prior authentication; attacker must supply valid USERNAME and PASSWORD credentials for the X7 Chat application before code execution is possible.
  • ·The exploit has two code paths targeting different URL parameter names ('act=user_cp' for versions 2.0.2–2.0.5.1 and 'act=usercp' for versions 2.0.0–2.0.1a1); detection rules should cover both variants.
  • ·The PHP payload is delivered via a randomly named custom HTTP header (base64-encoded, padded with spaces to avoid '=' characters in the base64 string); the header name is randomized per session, making static header-name signatures insufficient alone.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.