Main Vulnerability Database Exploits ID:5863 - Exploit for OS Command Injection in rConfig - CVE-2019-16663

ID:5863 - Exploit for OS Command Injection in rConfig - CVE-2019-16663

Published: June 17, 2021

Vulnerability identifier: #VU22513

Vulnerability risk: High

CVE-ID: CVE-2019-16663

CWE-ID: CWE-78

Exploitation vector: Remote access

Vulnerable software:
rConfig

Link to public exploit:

https://www.exploit-db.com/exploits/47602/

Vulnerability description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to the "catCommand" parameter is passed to the "exec" function without filtering. A remote authenticated attacker can send a specially crafted GET request to "search.crud.php" file and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: This vulnerability can be exploited without authentication for all versions before rConfig 3.6.0.

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

ID:5863 - Exploit for OS Command Injection in rConfig - CVE-2019-16663

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human