BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

Sharetronix Multiple Vulnerabilities

Disclosed December 5, 2013    Zeroday : 272 days

Vulnerability Description:

Sharetronix contains multiple vulnerabilities, including remote code execution vulnerabilities that permit attackers to execute arbitrary PHP code on the server. Sharetronix is also vulnerable to SQL injection, cross-site request forgery, and a security bypass.

Vendors:

Sharetronix

Vulnerable Software/Devices:

Sharetronix 3.1.1 and possibly other versions

Vulnerability Severity:

High

Exploit Availability:

No Exploit Available

Exploit Impact:

Remote Code Execution
Exploitation of this vulnerability is possible by forming a malicious request and sending it to the affected server. Remote attackers who successfully exploit this vulnerability will be able to execute arbitrary commands on the vulnerable system with the same rights as the web service.

SQL Injection
A remote attacker is able to change the value of certain parameters in a query within the "fb_user_id" and "tw_user_id" parameters when passed to /signup, allowing the attacker to query the database and possibly gain access to sensitive information. This may be leveraged to gain access to other sensitive components of a website or publicly facing infrastructure.

Cross-Site Request Forgery
Exploitation of this vulnerability is possible via forged HTML forms, sent to a victim through a number of different attack vectors (including malicious links). Attackers who successfully exploit this vulnerability may be able to take complete control of the affected device, including the ability to change arbitrary settings, such as the username and password for administering the vulnerable device.

Security Bypass
This vulnerability allows an attacker to bypass certain security restrictions on the system, allowing the attacker to gain unauthorized access to the system.

BeyondTrust Prevention and Detection:

BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.

  • 31763 - Sharetronix Multiple Vulnerabilities (20131205) (Zero-Day)

Mitigation:

No mitigations are available.

Links:

CVE(s):