Security / MoxieManager PHP RCE Vulnerability

Impact

A RCE vulnerability was discovered in MoxieManager PHP installer command. This vulnerability allows unauthenticated attackers to inject and execute arbitrary code.

Patches

This vulnerability has been patched in MoxieManager PHP 4.0.0 by:

• Sanitizing all request input data to the InstallCommand
• Escaping the values that get inserted into the config.php with addslashes
• Check so that the installer process can’t be executed after installation

Fix

A patch for this security issue was released as part of the 4.0.0 version, and users are strongly advised to update to the latest MoxieManager versions.

Workaround

A workaround is to manually delete the install directory after installing the software.

Acknowledgements

Tiny Technologies would like to thank Pierre-Yves Guerder for discovering this vulnerability.

Severity Score

9.4 (critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

For more information

If you have any questions or comments about this:

Email us at infosec@tiny.cloud