cbcvebase.
CVE-2016-6175
published 2017-02-07

CVE-2016-6175: Eval injection vulnerability in php-gettext 1.0.12 and earlier allows remote attackers to execute arbitrary PHP code via a crafted plural forms header.

PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.66%
97.1th percentile
Eval injection vulnerability in php-gettext 1.0.12 and earlier allows remote attackers to execute arbitrary PHP code via a crafted plural forms header.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianphp-gettext< php-gettext 1.0.12-1 (bookworm)php-gettext 1.0.12-1 (bookworm)
php-gettext_projectphp-gettext<= 1.0.12
php-gettext_projectphp-gettext>= 0 < 1.0.12-11.0.12-1
php-gettext_projectphp-gettext>= 0 < 1.0.12-11.0.12-1

Detection & IOCsextracted from sources · hover to see the quote

filenamegettext.php
command`nc -l -p 1337 -e /bin/sh`
path/nagvis-1.8.5/share/frontend/nagvis-js/locale/
  • Monitor for eval() calls in PHP processes where the input originates from a parsed MO/PO file plural forms header — the vulnerable code path passes the unsanitized $string variable directly to eval().
  • Detect bypass of the preg_replace sanitizer in sanitize_plural_expression(): the regex @[^a-zA-Z0-9_:;\(\)\?\|\&=!<>+*/\%-]@ permits alphanumeric function names such as system(), allowing OS command injection through the eval() call.
  • Alert on unexpected modifications to MO/PO locale files in application locale directories (e.g. nagvis locale path), as an attacker may plant a crafted plural forms header to achieve code execution on next load.
  • Look for function calls to system() or similar OS-execution functions appearing inside the plural forms header string of MO files, as these pass through the permissive character whitelist and reach eval().
  • ·The vulnerability requires the attacker to control or tamper with a MO/PO translation file; it is not directly exploitable via a standard HTTP request unless the application exposes a file-upload or file-write path to untrusted users.
  • ·The NagVis patch removes the plural-forms functionality entirely rather than fixing the sanitizer; deployments relying on that patch may lose plural-form translation support.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.