CVE-2022-44384 An arbitrary file upload vulnerability in rconfig v3.9.6 allows attackers to execute arbitrary code.

CVE-2022-44384 An arbitrary file upload vulnerability in rconfig v3.9.6 allows attackers to execute arbitrary code.

This issue is due to the fact that the rConfig v3.9.6 package does not check the file extension of the uploaded file before executing it. An attacker can exploit this issue to execute arbitrary code. Note that rconfig v3.9.6 is only vulnerable when used to upload PHP files. rconfig v3.9.6 resolves this issue by updating its code to ensure that the file extension is validated before execution. rconfig v3Reduce the risk of code execution by ensuring that the rconfig v3.9.6 package does not execute files with a malicious file extension.

rconfig v3.9.7

(Released December 2016)
rconfig v3.9.7 resolves this issue by verifying that the uploaded file has a .php extension before execution.

v3.9.7

This release includes the following changes:
* Updated code to ensure that the rconfig v3.9.6 package does not execute files with a malicious file extension
* Improved detection of the PHP process identifier
* Ensure that rconfig v3.9.7 has no known issues with its patch installation process
* Fixed issues with filesystem permissions

rconfig v3.9.7: Update the code to check file extension before execution

The rConfig v3.9.7 package resolves CVE-2022-44384, which is an issue with the upload functionality of rconfig v3.9.6 that allows an attacker to execute arbitrary code by exploiting the lack of file extension validation, by updating its code to check the file extension before execution.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe