diff --git a/documentation/modules/exploit/linux/http/php_imap_open_rce.md b/documentation/modules/exploit/linux/http/php_imap_open_rce.md index de44cf8f55..6a8b137ed8 100644 --- a/documentation/modules/exploit/linux/http/php_imap_open_rce.md +++ b/documentation/modules/exploit/linux/http/php_imap_open_rce.md @@ -8,16 +8,18 @@ applications are vulnerable: * instantcms -* HostCMS -* e107_2 -* prestashop -* SuiteCRM +* [HostCMS](https://github.com/HostCMS/hostcms6.free/blob/1d54bdefcd6c28918cb09dd7cb6aea404879b93f/modules/core/mail/imap.php#L140) +* [e107 v2](https://github.com/e107inc/e107/blob/7570b7ce4e17c03e9759c90889db8e750d566e53/e107_handlers/pop_bounce_handler.php#L83) +* [prestashop](https://github.com/PrestaShop/PrestaShop/blob/0d53d6b58b951ac364ad44671cf1ae9bf7ab6aed/controllers/admin/AdminCustomerThreadsController.php#L1010) +* [SuiteCRM](https://github.com/salesagility/SuiteCRM/blob/153b2bae76097cdba9fc9c025bcd829a702b8687/modules/InboundEmail/EditView.php#L260) * SugarCRM Prestashop exploitation requires the admin URI, and administrator credentials. SuiteCRM exploitation requires administrator credentials. + e107 v2 exploitation requires administrator credentials. + ### Prestashop 1.7.2.4 on Ubuntu 16.04 Mostly derived from [websiteforstudents.com](https://websiteforstudents.com/install-prestashop-on-ubuntu-17-04-17-10-with-apache2-mariadb-and-php/), @@ -40,6 +42,8 @@ sudo phpenmod imap sudo mysql -u root -p ``` +Run the following database commands: + ``` CREATE USER 'prestashopuser'@'localhost' IDENTIFIED BY 'new_password_here'; GRANT ALL ON prestashop.* TO 'prestashopuser'@'localhost' IDENTIFIED BY 'user_password_here' WITH GRANT OPTION; @@ -152,6 +156,8 @@ sudo mysql_secure_installation sudo mysql -u root -p ``` +Run the following database commands: + ``` CREATE DATABASE e107; CREATE USER 'e107user'@'localhost' IDENTIFIED BY 'new_password_here'; @@ -169,6 +175,8 @@ sudo chmod -R 755 /var/www/html/e107/ sudo nano /etc/apache2/sites-available/e107.conf ``` +Utilize the following configuration: + ``` <VirtualHost *:80> ServerAdmin admin@example.com diff --git a/modules/exploits/linux/http/php_imap_open_rce.rb b/modules/exploits/linux/http/php_imap_open_rce.rb index 90de0bff6e..b06a5c22cf 100644 --- a/modules/exploits/linux/http/php_imap_open_rce.rb +++ b/modules/exploits/linux/http/php_imap_open_rce.rb @@ -16,9 +16,10 @@ class MetasploitModule < Msf::Exploit::Remote IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imap_open to execute arbitrary commands. While many custom applications may use imap_open, it is reported that the following applications are vulnerable: - instantcms, HostCMS, e107_2, prestashop, SuiteCRM, SugarCRM. + instantcms, HostCMS, e107 v2, prestashop, SuiteCRM, SugarCRM. Prestashop exploitation requires the admin URI, and administrator credentials. suiteCRM requires administrator credentials. + e107 requires administrator credentials. }, 'Author' => [