module
vBSEO proc_deutf() Remote PHP Code Injection
| Disclosed | Created |
|---|---|
| Jan 23, 2012 | May 30, 2018 |
Disclosed
Jan 23, 2012
Created
May 30, 2018
Description
This module exploits a vulnerability in the 'proc_deutf()' function
defined in /includes/functions_vbseocp_abstract.php for vBSEO versions
3.6.0 and earlier. User input passed through 'char_repl' POST parameter
isn't properly sanitized before being used in a call to preg_replace()
function which uses the 'e' modifier. This can be exploited to inject
and execute arbitrary code leveraging the PHP's complex curly syntax.
defined in /includes/functions_vbseocp_abstract.php for vBSEO versions
3.6.0 and earlier. User input passed through 'char_repl' POST parameter
isn't properly sanitized before being used in a call to preg_replace()
function which uses the 'e' modifier. This can be exploited to inject
and execute arbitrary code leveraging the PHP's complex curly syntax.
Author
EgiX [email protected]
Platform
PHP
Architectures
php
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.