cbcvebase.
CVE-2017-6526
published 2017-03-09

CVE-2017-6526: An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to unauthenticated command execution through an improperly protected…

PriorityP277critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
57.40%
99.0th percentile
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to unauthenticated command execution through an improperly protected administrative web shell (cgi-bin/dna/sysAdmin.cgi POST requests).

Affected

1 ranges
VendorProductVersion rangeFixed in
dnatoolsdnalims

Detection & IOCsextracted from sources · hover to see the quote

pathcgi-bin/dna/sysAdmin.cgi
path/home/dna/spool/.pfile
pathcgi-bin/dna/viewAppletFsa.cgi
pathcgi-bin/dna/configuration.cgi
  • Alert on unauthenticated HTTP POST requests to cgi-bin/dna/sysAdmin.cgi — GET requests require authentication but POST requests bypass all authentication checks, enabling direct OS command execution as the web user.
  • Monitor HTTP GET requests to viewAppletFsa.cgi with a seqID parameter containing null bytes or directory traversal sequences (e.g., '../') indicating exploitation of CVE-2017-6527 path traversal.
  • Detect attempts to retrieve the cleartext password file via directory traversal targeting /home/dna/spool/.pfile through viewAppletFsa.cgi.
  • Flag unauthenticated access to admin CGI pages (configuration.cgi, createCoInfo.cgi, configSystem.cgi, combineAcctsN.cgi) which should require authentication but are improperly protected.
  • Detect session hijacking attempts against seqreq2N.cgi by monitoring for requests where the username parameter contains a guessed or sequential four-digit UID without a valid session identifier prefix.
  • ·The cleartext password storage is described as likely the default configuration, meaning most deployments are exposed to credential theft via directory traversal without any additional attacker effort.
  • ·The seqTableSS.cgi XSS vector is client/install-specific — the wildcard segment of the filename reflects a short name for the customer organization, so the vulnerable path varies per deployment.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.