rConfig 3.9.2 Command Injection
Posted by deepcore on November 8, 2019 – 1:20 pm
This Metasploit module exploits an unauthenticated command injection vulnerability in rConfig versions 3.9.2 and prior. The install directory is not automatically removed after installation, allowing unauthenticated users to execute arbitrary commands via the ajaxServerSettingsChk.php file as the web server user. This module has been tested successfully on rConfig version 3.9.2 on CentOS 7.7.1908 (x64).
Post a reply
You must be logged in to post a comment.