Documentation
Security / MoxieManager PHP RCE Vulnerability
Impact
A RCE vulnerability was discovered in MoxieManager PHP installer command. This vulnerability allows unauthenticated attackers to inject and execute arbitrary code.
Patches
This vulnerability has been patched in MoxieManager PHP 4.0.0 by:
- Sanitizing all request input data to the
InstallCommand
- Escaping the values that get inserted into the
config.php
withaddslashes
- Check so that the installer process can’t be executed after installation
Fix
A patch for this security issue was released as part of the 4.0.0 version, and users are strongly advised to update to the latest MoxieManager versions.
Workaround
A workaround is to manually delete the install
directory after installing the software.
Acknowledgements
Tiny Technologies would like to thank Pierre-Yves Guerder for discovering this vulnerability.
Severity Score
9.4 (critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
For more information
If you have any questions or comments about this:
Email us at infosec@tiny.cloud