CVE-2017-17097
published 2018-01-02CVE-2017-17097: gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and…
PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.95%
93.3th percentile
gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and then sends e-mail with a predictable (date-based) password to the admin, which makes it easier for remote attackers to obtain access by predicting this new password. This is related to the use of gmdate for password creation in fn_connect.php.
Affected
33 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
| gps-server | gps_tracking_software | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST requests to the password reset endpoint (recover tab) that trigger immediate password resets without a confirmation step — characteristic of the CVE-2017-17097 vulnerability in versions up to 2.7. ↗
- →Alert on HTTP GET requests to log files matching the pattern /logs/YYYY_MM_user_access.php, which is the path where a PHP webshell payload injected via the log-poisoning vector would be accessible and executed. ↗
- →Detect PHP log-poisoning attempts: look for POST request bodies containing PHP code (e.g., <?php ... ?>) targeting the CMS, noting that payloads are crafted without quotes to bypass mysql_real_escape_string() sanitization. ↗
- →Flag use of gmdate()-based password generation in fn_connect.php; a predictable date-based password reset within a ~20-second window is the exploitation primitive — monitor for rapid successive login attempts with date-derived passwords shortly after a password reset request. ↗
- ·The password reset vulnerability (CVE-2017-17097) only affects versions up to 2.7; version 3.0 and later introduced a confirmation-link step that mitigates the immediate reset behavior, though the fix was described as unintentional. ↗
- ·The RCE via log poisoning is only triggered when an admin views the log file, making it dependent on chaining with the account-hijack (password reset) vulnerability for reliable exploitation. ↗
- ·The captcha on the password reset form prevents a fully automated remote exploit; timing synchronization between attacker and target server is required to predict the correct date-based password. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-01-02
Published