Eaton Network Shutdown Module view_list.php paneStatusListSortBy Parameter eval() Call Remote PHP Code Execution

critical Nessus Plugin ID 60082

Synopsis

The remote web server hosts a PHP script that can be abused to execute arbitrary PHP code.

Description

The version of the Eaton Network Shutdown Module hosted on the remote web server does not sanitize user input to the 'paneStatusListSortBy' parameter of the 'view_list.php' script before using it as part of a command to be executed via PHP's 'eval()' function.

An unauthenticated, remote attacker can leverage this issue to execute arbitrary code on the affected host with administrative privileges.

Note that successful exploitation of this issue requires that the software is configured with at least one power device and that the install is likely to be affected by two other issues, although Nessus has not checked for them.

Solution

Unknown at this time.

Plugin Details

Severity: Critical

ID: 60082

File Name: network_shutdown_module_view_list_cmd_exec.nasl

Version: 1.13

Type: remote

Family: CGI abuses

Published: 7/20/2012

Updated: 1/19/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/h:eaton:network_shutdown_module

Required KB Items: www/eaton_nsm

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 6/22/2012

Exploitable With

Metasploit (Network Shutdown Module (sort_values) Remote PHP Code Injection)

Reference Information

BID: 54161

Secunia: 49103