cbcvebase.
CVE-2017-9101
published 2017-05-21

CVE-2017-9101: import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the…

PriorityP277critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
76.74%
99.5th percentile
import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the name of a file.

Affected

3 ranges
VendorProductVersion rangeFixed in
lame_projectlame>= 0 < 3.99.5+repack1-3ubuntu1+esm33.99.5+repack1-3ubuntu1+esm3
lame_projectlame>= 0 < 3.99.5+repack1-9ubuntu0.1~esm23.99.5+repack1-9ubuntu0.1~esm2
playsmsplaysms

Detection & IOCsextracted from sources · hover to see the quote

urlindex.php?app=main&inc=feature_phonebook&route=import&op=list
pathimport.php
filenamebackdoor.csv
command<?php $t=$_SERVER['HTTP_USER_AGENT'];system($t);?>
otherX-CSRF-Token
otherphp/meterpreter/reverse_tcp
otherphp/base64
  • Detect exploitation attempts by monitoring HTTP POST requests to the PlaySMS phonebook import endpoint (index.php?app=main&inc=feature_phonebook&route=import&op=import) where the User-Agent header contains PHP code patterns such as '<?php' or 'system('
  • Alert on multipart/form-data file uploads to the PlaySMS phonebook import route where the uploaded CSV file's Name field contains PHP tags (e.g., '<?php') combined with a suspicious User-Agent header
  • Monitor for CSV file uploads to PlaySMS where the Name field contains the string '$_SERVER['HTTP_USER_AGENT']' or similar PHP server variable references, indicating an attempt to chain CSV injection with User-Agent code execution
  • ·Exploitation requires prior authentication; the vulnerability is not unauthenticated. An attacker must have valid credentials (even a regular/low-privilege user account) before uploading the malicious CSV.
  • ·The Metasploit module defaults to admin/admin credentials, suggesting default credentials are a prerequisite risk factor that should be addressed.
  • ·The payload is base64-encoded via the php/base64 encoder and delivered through the HTTP User-Agent header, meaning plain-text PHP signature detection in the User-Agent may be bypassed; decoded content inspection is required.
  • ·The vulnerability affects only PlaySMS version 1.4; verify the installed version before applying detection rules to avoid false positives on other versions.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.