CVE-2018-1000533
published 2018-06-26CVE-2018-1000533: klaussilveira GitList version <= 0.6 contains a Passing incorrectly sanitized input to system function vulnerability in `searchTree` function that can result…
PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
72.97%
99.4th percentile
klaussilveira GitList version <= 0.6 contains a Passing incorrectly sanitized input to system function vulnerability in `searchTree` function that can result in Execute any code as PHP user. This attack appear to be exploitable via Send POST request using search form. This vulnerability appears to have been fixed in 0.7 after commit 87b8c26b023c3fc37f0796b14bb13710f397b322.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gitlist | gitlist | <= 0.6.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/gitlist_arg_injection.rb↗
- →Monitor for POST requests to GitList search form endpoints, as the exploit is delivered via a POST request to the search functionality targeting the `searchTree` function. ↗
- →Detect GitList version 0.6.0 or earlier in HTTP responses using the regex pattern `GitList (.*?)'` in the response body, as used by nuclei/detection templates.
- →The vulnerability is rooted in improper use of `escapeshellarg` in PHP — alert on argument injection patterns (e.g., shell metacharacters or `--` flag injection) in search query parameters sent to GitList instances. ↗
- ·The vulnerability is only present in GitList <= 0.6; instances running 0.7+ (post-commit 87b8c26b) are patched. Scope detection rules accordingly to avoid false positives on patched deployments. ↗
- ·Code execution occurs in the context of the PHP user running the web server process — post-exploitation impact is bounded by that user's OS privileges. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
GitList < 0.6.0 Remote Code Execution
nuclei·CVSS 9.8
CVE-2018-1000533 [CRITICAL] GitList < 0.6.0 Remote Code Execution
GitList (.*?)'
internal: true
part: body
# digest: 4a0a004730450220440414bee5314fc822e05664a32f5df2d485ce8aefcb5b7ec4c04eceff95300502210091ab67f12e38cf2766c271bc41bf2451f21af3b629c65f2c21e04633cc29b3f4:922c64590222798bb761d5b6d8e72950
Metasploit
GitList v0.6.0 Argument Injection Vulnerability
metasploit
GitList v0.6.0 Argument Injection Vulnerability
GitList v0.6.0 Argument Injection Vulnerability
This module exploits an argument injection vulnerability in GitList v0.6.0. The vulnerability arises from GitList improperly validating input using the php function 'escapeshellarg'.
https://github.com/klaussilveira/gitlist/commit/87b8c26b023c3fc37f0796b14bb13710f397b322https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.htmlhttps://github.com/klaussilveira/gitlist/commit/87b8c26b023c3fc37f0796b14bb13710f397b322https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html
2018-06-26
Published