CVE-2014-8998
published 2014-11-20CVE-2014-8998: lib/message.php in X7 Chat 2.0.0 through 2.0.5.1 allows remote authenticated users to execute arbitrary PHP code via a crafted HTTP header to index.php, which…
PriorityP354medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
36.83%
98.3th percentile
lib/message.php in X7 Chat 2.0.0 through 2.0.5.1 allows remote authenticated users to execute arbitrary PHP code via a crafted HTTP header to index.php, which is processed by the preg_replace function with the eval switch.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| x7chat | x7_chat | — | — |
| x7chat | x7_chat | — | — |
| x7chat | x7_chat | — | — |
| x7chat | x7_chat | — | — |
| x7chat | x7_chat | — | — |
| x7chat | x7_chat | — | — |
| x7chat | x7_chat | — | — |
| x7chat | x7_chat | — | — |
| x7chat | x7_chat | — | — |
| x7chat | x7_chat | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect GET requests to index.php with act=user_cp or act=usercp, cp_page=msgcenter, and a 'to', 'subject', and 'body' parameter where the body contains a preg_replace /e eval injection pattern such as '${eval(base64_decode($_SERVER[HTTP_...]))}'. ↗
- →Detect HTTP requests to index.php with act=user_cp/usercp&cp_page=msgcenter&read=<id> that also carry an anomalous custom HTTP header containing a base64-encoded payload (used to deliver the PHP code via $_SERVER[HTTP_<RAND>]). ↗
- →Alert on authentication cookies X7C2U and X7C2P (MD5-hashed password) appearing in requests to index.php alongside message-center actions, as this is the session mechanism used by the exploit. ↗
- →The exploit checks for successful code execution by looking for 'This program makes use of the Zend' in the response body (phpinfo() output); alert on this string appearing in HTTP responses from the X7 Chat application. ↗
- →The vulnerability is triggered via a crafted HTTP header processed by preg_replace() with the /e (eval) modifier in lib/message.php; monitor for preg_replace /e usage or PHP eval execution originating from message.php in application logs. ↗
- ·Exploit requires prior authentication; attacker must supply valid USERNAME and PASSWORD credentials for the X7 Chat application before code execution is possible. ↗
- ·The exploit has two code paths targeting different URL parameter names ('act=user_cp' for versions 2.0.2–2.0.5.1 and 'act=usercp' for versions 2.0.0–2.0.1a1); detection rules should cover both variants. ↗
- ·The PHP payload is delivered via a randomly named custom HTTP header (base64-encoded, padded with spaces to avoid '=' characters in the base64 string); the header name is randomized per session, making static header-name signatures insufficient alone. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
X7 Chat 2.0.5 - 'message.php' PHP Code Execution (Metasploit)
exploitdb·2014-11-06
CVE-2014-8998 X7 Chat 2.0.5 - 'message.php' PHP Code Execution (Metasploit)
X7 Chat 2.0.5 - 'message.php' PHP Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution',
'Description' => %q{
This module exploits a post-auth vulnerability found in X7 Chat versions
2.0.0 up to 2.0.5.1. The vulnerable code exists on lib/message.php, which
uses preg_replace() function with the /e modifier. This allows a remote
authenticated attacker to execute arbitrary PHP code in the remote machine.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Fernando Munoz ', # discovery & module development
'Juan Escobar ', # module development @itsecurityco
],
'References' =>
[
# Usi
Metasploit
X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution
metasploit
X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution
X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution
This module exploits a post-auth vulnerability found in X7 Chat versions 2.0.0 up to 2.0.5.1. The vulnerable code exists on lib/message.php, which uses preg_replace() function with the /e modifier. This allows a remote authenticated attacker to execute arbitrary PHP code in the remote machine.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/128964/X7-Chat-2.0.5-lib-message.php-preg_replace-PHP-Code-Execution.htmlhttp://www.exploit-db.com/exploits/35183http://www.securityfocus.com/bid/71014https://exchange.xforce.ibmcloud.com/vulnerabilities/98513http://packetstormsecurity.com/files/128964/X7-Chat-2.0.5-lib-message.php-preg_replace-PHP-Code-Execution.htmlhttp://www.exploit-db.com/exploits/35183http://www.securityfocus.com/bid/71014https://exchange.xforce.ibmcloud.com/vulnerabilities/98513
2014-11-20
Published