module
vBSEO proc_deutf() Remote PHP Code Injection
| Disclosed | Created |
|---|---|
| Jan 23, 2012 | May 30, 2018 |
Disclosed
Jan 23, 2012
Created
May 30, 2018
Description
This module exploits a vulnerability in the 'proc_deutf()' function
defined in /includes/functions_vbseocp_abstract.php for vBSEO versions
3.6.0 and earlier. User input passed through 'char_repl' POST parameter
isn't properly sanitized before being used in a call to preg_replace()
function which uses the 'e' modifier. This can be exploited to inject
and execute arbitrary code leveraging the PHP's complex curly syntax.
defined in /includes/functions_vbseocp_abstract.php for vBSEO versions
3.6.0 and earlier. User input passed through 'char_repl' POST parameter
isn't properly sanitized before being used in a call to preg_replace()
function which uses the 'e' modifier. This can be exploited to inject
and execute arbitrary code leveraging the PHP's complex curly syntax.
Author
EgiX [email protected]
Platform
PHP
Architectures
php
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.