Sharetronix contains multiple vulnerabilities, including remote code execution vulnerabilities that permit attackers to execute arbitrary PHP code on the server. Sharetronix is also vulnerable to SQL injection, cross-site request forgery, and a security bypass.
Sharetronix 3.1.1 and possibly other versions
No Exploit Available
Remote Code Execution
Exploitation of this vulnerability is possible by forming a malicious request and sending it to the affected server. Remote attackers who successfully exploit this vulnerability will be able to execute arbitrary commands on the vulnerable system with the same rights as the web service.
A remote attacker is able to change the value of certain parameters in a query within the "fb_user_id" and "tw_user_id" parameters when passed to /signup, allowing the attacker to query the database and possibly gain access to sensitive information. This may be leveraged to gain access to other sensitive components of a website or publicly facing infrastructure.
Cross-Site Request Forgery
Exploitation of this vulnerability is possible via forged HTML forms, sent to a victim through a number of different attack vectors (including malicious links). Attackers who successfully exploit this vulnerability may be able to take complete control of the affected device, including the ability to change arbitrary settings, such as the username and password for administering the vulnerable device.
This vulnerability allows an attacker to bypass certain security restrictions on the system, allowing the attacker to gain unauthorized access to the system.
BeyondTrust Prevention and Detection:
BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.
- 31763 - Sharetronix Multiple Vulnerabilities (20131205) (Zero-Day)
No mitigations are available.
- Advisory Collection
- Original Advisory: CVE-2013-5352
- Original Advisory: CVE-2013-5353
- Original Advisory: CVE-2013-5354
- Original Advisory: CVE-2013-5355
- Original Advisory: CVE-2013-5356