Arbitrary PHP code execution in Mt-phpincgi - CVE-2015-2945
Published: February 1, 2017 / Updated: March 10, 2017
Vulnerability identifier: #VU5582
CSH Severity: Critical
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2015-2945
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: H-fj
Affected software:
Mt-phpincgi
Mt-phpincgi
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.
The weakness exists due to improper validation of input when performing an unserialize() call. A remote attacker can send a specially crafted URL request, inject and execute arbitrary PHP code on the system.
Successful exploitation of the vulnerability results in arbitrary PHP code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The weakness exists due to improper validation of input when performing an unserialize() call. A remote attacker can send a specially crafted URL request, inject and execute arbitrary PHP code on the system.
Successful exploitation of the vulnerability results in arbitrary PHP code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
How to mitigate CVE-2015-2945
Update to a patched version released after 2015-05-15.