CVE-2017-9101
published 2017-05-21CVE-2017-9101: import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the…
PriorityP277critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
76.74%
99.5th percentile
import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the name of a file.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lame_project | lame | >= 0 < 3.99.5+repack1-3ubuntu1+esm3 | 3.99.5+repack1-3ubuntu1+esm3 |
| lame_project | lame | >= 0 < 3.99.5+repack1-9ubuntu0.1~esm2 | 3.99.5+repack1-9ubuntu0.1~esm2 |
| playsms | playsms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring HTTP POST requests to the PlaySMS phonebook import endpoint (index.php?app=main&inc=feature_phonebook&route=import&op=import) where the User-Agent header contains PHP code patterns such as '<?php' or 'system(' ↗
- →Alert on multipart/form-data file uploads to the PlaySMS phonebook import route where the uploaded CSV file's Name field contains PHP tags (e.g., '<?php') combined with a suspicious User-Agent header ↗
- →Monitor for CSV file uploads to PlaySMS where the Name field contains the string '$_SERVER['HTTP_USER_AGENT']' or similar PHP server variable references, indicating an attempt to chain CSV injection with User-Agent code execution ↗
- ·Exploitation requires prior authentication; the vulnerability is not unauthenticated. An attacker must have valid credentials (even a regular/low-privilege user account) before uploading the malicious CSV. ↗
- ·The Metasploit module defaults to admin/admin credentials, suggesting default credentials are a prerequisite risk factor that should be addressed. ↗
- ·The payload is base64-encoded via the php/base64 encoder and delivered through the HTTP User-Agent header, meaning plain-text PHP signature detection in the User-Agent may be bypassed; decoded content inspection is required. ↗
- ·The vulnerability affects only PlaySMS version 1.4; verify the installed version before applying detection rules to avoid false positives on other versions. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
lame vulnerabilities
osv·2022-08-29·CVSS 5.5
CVE-2015-9099 lame vulnerabilities
lame vulnerabilities
It was discovered that LAME incorrectly handled certain audio files. A
remote attacker could possibly use this issue to cause a denial of service. Eight
vulnerabilities (CVE-2015-9099, CVE-2015-9100, CVE-2015-9101, CVE-2017-15018,
CVE-2017-11720, CVE-2017-8419, CVE-2017-9412, CVE-2017-15045) only affected Ubuntu 14.04
ESM, two vulnerabilities (CVE-2017-9410 and CVE-2017-9411) only affected Ubuntu
16.04 ESM, and one vulnerability (CVE-2017-15019) affected both Ubuntu 14.04
ESM and Ubuntu 16.04.
GHSA
GHSA-jrcp-p4m6-q89q: import
ghsa_unreviewed·2022-05-14
CVE-2017-9101 [CRITICAL] CWE-434 GHSA-jrcp-p4m6-q89q: import
import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the name of a file.
No detection rules found.
Exploit-DB
PlaySMS - 'import.php' (Authenticated) CSV File Upload Code Execution (Metasploit)
exploitdb·2018-05-08
CVE-2017-9101 PlaySMS - 'import.php' (Authenticated) CSV File Upload Code Execution (Metasploit)
PlaySMS - 'import.php' (Authenticated) CSV File Upload Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'PlaySMS import.php Authenticated CSV File Upload Code Execution',
'Description' => %q{
This module exploits an authenticated file upload remote code excution vulnerability
in PlaySMS Version 1.4. This issue is caused by improper file contents handling in
import.php (aka the Phonebook import feature). Authenticated Users can upload a CSV
file containing a malicious payload via vectors involving the User-Agent HTTP header
and PHP code in the User-Agent.
This module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7.
},
'
Exploit-DB
PlaySMS 1.4 - 'import.php' Remote Code Execution
exploitdb·2017-05-21
CVE-2017-9101 PlaySMS 1.4 - 'import.php' Remote Code Execution
PlaySMS 1.4 - 'import.php' Remote Code Execution
---
# Exploit Title: PlaySMS 1.4 Remote Code Execution using Phonebook import Function in import.php
# Date: 21-05-2017
# Software Link: https://playsms.org/download/
# Version: 1.4
# Exploit Author: Touhid M.Shaikh
# Contact: http://twitter.com/touhidshaikh22
# Website: http://touhidshaikh.com/
# Category: webapps
1. Description
Code Execution using import.php
We know import.php accept file and just read content
not stored in server. But when we stored payload in our backdoor.csv
and upload to phonebook. Its execute our payload and show on next page in field (in NAME,MOBILE,Email,Group COde,Tags) accordingly .
In My case i stored my vulnerable code in my backdoor.csv files's Name field .
But There is one problem in execution. Its onl
Metasploit
PlaySMS import.php Authenticated CSV File Upload Code Execution
metasploit
PlaySMS import.php Authenticated CSV File Upload Code Execution
PlaySMS import.php Authenticated CSV File Upload Code Execution
This module exploits an authenticated file upload remote code excution vulnerability in PlaySMS Version 1.4. This issue is caused by improper file contents handling in import.php (aka the Phonebook import feature). Authenticated Users can upload a CSV file containing a malicious payload via vectors involving the User-Agent HTTP header and PHP code in the User-Agent. This module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7.
2017-05-21
Published