cbcvebase.
CVE-2017-17098
published 2018-01-02

CVE-2017-17098: The writeLog function in fn_common.php in gps-server.net GPS Tracking Software (self hosted) through 3.0 allows remote attackers to inject arbitrary PHP code…

PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.64%
93.0th percentile
The writeLog function in fn_common.php in gps-server.net GPS Tracking Software (self hosted) through 3.0 allows remote attackers to inject arbitrary PHP code via a crafted request that is mishandled during admin log viewing, as demonstrated by in a login request.

Affected

1 ranges
VendorProductVersion rangeFixed in
gps-servergps_tracking_software<= 3.0

Detection & IOCsextracted from sources · hover to see the quote

path/logs/YYYY_MM_user_access.php
pathfn_common.php
  • Monitor POST requests to the login endpoint for PHP code injection patterns (e.g., PHP tags or function calls) that do not contain quotes, as the payload is crafted to bypass mysql_real_escape_string() by avoiding quote characters.
  • Alert on HTTP GET requests to date-patterned PHP log files under /logs/ (matching pattern /logs/YYYY_MM_user_access.php), which may indicate an attacker retrieving a planted web shell.
  • Detect PHP code execution triggered during admin log viewing — injected code in the log file is executed server-side when an admin accesses the log, so monitor for unexpected process spawning from the web server process coinciding with admin log access.
  • For the chained password reset vulnerability (≤2.7), monitor for unauthenticated password reset requests followed rapidly by login attempts using gmdate()-derived predictable passwords (date-based strings).
  • ·The injected PHP web shell is written into a monthly rotating log file. If the log file is corrupted by a malformed payload, a new exploitable log file will not be generated until the next calendar month.
  • ·The RCE is only triggered when an admin views the log files; without chaining with the account hijack vulnerability, exploitation is not fully remote/autonomous.
  • ·The predictable password reset vulnerability only affects versions up to 2.7; it was unintentionally patched between 2.7 and 3.0 by adding a confirmation link step, making timing-based password prediction infeasible on 3.0+.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.