CVE-2020-12641 PoC — Roundcube Webmail 操作系统命令注入漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-12641.yaml

Associated Vulnerability

Title:Roundcube Webmail 操作系统命令注入漏洞 (CVE-2020-12641)
Description:Roundcube Webmail是一款基于浏览器的开源IMAP客户端，它支持地址薄管理、信息搜索、拼写检查等。 Roundcube Webmail 1.4.4 版本之前版本中的 rcube_image.php 文件存在操作系统命令注入漏洞。攻击者可借助 shell 元字符利用该漏洞执行任意代码。

Description

Roundcube Webmail before 1.4.4 contains a command injection caused by shell metacharacters in configuration settings for im_convert_path or im_identify_path, letting attackers execute arbitrary code, exploit requires attacker to control configuration settings.

File Snapshot


 id: CVE-2020-12641

info:
  name: Roundcube Webmail - Command Injection
  author: domwhewell-sage
  

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!