vendor:
WebSVN
by:
N/A
9.3
CVSS
HIGH
Remote Command Injection
78
CWE
Product Name: WebSVN
Affected Version From: 2.3.2002
Affected Version To: 2.3.2002
Patch Exists: NO
Related CWE: N/A
CPE: 2.3.2002
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Microsoft Windows Server R2 SP2, PHP 5.3.6 VC9 with magic_quotes_gpc = off (default), Apache 2.2.17 VC9
2020
WebSVN 2.3.2 Unproper Metacharacters Escaping exec() Remote Commands Injection Vulnerability
Without prior authentication, if the 'allowDownload' option is enabled in config.php, meaning that a tarball download is allowed across all the repositories (not uncommon), an attacker can invoke the dl.php script and passing a well formed 'path' argument to execute arbitrary commands against the underlying operating system.
Mitigation:
Disable the 'allowDownload' option in config.php and ensure that the 'path' argument is properly sanitized.