CVE-2018-11686 Scanner

CVE-2018-11686 Scanner - Remote Code Execution vulnerability in FlowPaper

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

2 weeks 1 hour

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

FlowPaper is widely utilized by publishers and content creators to convert PDF documents into interactive, online publications. It allows for seamless integration with websites, providing a digital reading experience. Users primarily employ FlowPaper to enhance the accessibility and presentation of their publications. The platform is designed for adaptability, offering customization options to suit various needs. Publishers exploit its potential to amplify content engagement and distribution. With migration from Flash, FlowPaper also caters to today's mobile and browser-based audience.

Remote Code Execution (RCE) in FlowPaper allows attackers to execute arbitrary code on a vulnerable system, usually due to poor validation of user inputs. This vulnerability can be critical, leading to full server compromise. In FlowPaper, the oversight in update or configuration script permissions can be exploited. Attackers can use crafted requests to gain command execution privileges. Such vulnerabilities often arise from insecure script handling within certain versions. Identifying and patching these gaps is crucial for maintaining system integrity.

The vulnerability in FlowPaper version 2.3.6 exploits laxity within 'setup.php' and 'change_config.php' files. These scripts fail to adequately validate user inputs, allowing crafted POST and GET requests to alter the execution path. Critical paths such as PDF2SWF_PATH can be manipulated to inject malicious commands. Attackers leverage this to execute commands remotely by encoding and transferring them via vulnerable endpoints. Ensuring input sanitization and correct handling of configuration updates is vital.

Exploitation of RCE vulnerabilities in FlowPaper can lead to directory exploration, data theft, or complete system control. Attackers gaining unauthorized access may upload malware, steal data, or modify application behavior. Critical systems could face downtime due to injected processes consuming resources. The integrity of hosted data can be compromised, leading to further breaches. Such vulnerabilities pose significant threats to organizations relying on these systems.

REFERENCES

Get started to protecting your digital assets