Posts Tagged ‘command’

Shadowsocks Log Manipulation / Command Execution

Several issues have been identified, which allow attackers to manipulate log files, execute commands and to brute force Shadowsocks with enabled brute force detection. Brute force detection from does not work with suggested tail command. The key of captured Shadowsocks traffic can be brute forced. The latest commit 2ab8c6b on Sep 6, 2017 […]

Git cvsserver Remote Command Execution

The git subcommand cvsserver is a Perl script which makes excessive use of the backtick operator to invoke git. Unfortunately user input is used within some of those invocations and it allows for OS command injection. Versions before before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 are affected. Source: Git cvsserver Remote Command Execution

NodeJS Debugger Command Injection

This Metasploit module uses the “evaluate” request type of the NodeJS V8 debugger protocol (version 1) to evaluate arbitrary JS and call out to other system commands. The port (default 5858) is not exposed non-locally in default configurations, but may be exposed either intentionally or via misconfiguration. Source: NodeJS Debugger Command Injection