CVE-2020-15227

DISCLAIMER! I take no responsibility of using it in wild life environment so please do NOT do it. This thingy is just to demonstrate and for test things for sysadmins

This tool tests for vulnerability in nette/application.

How to fix the vulnerability

Composer

Update dependency to the latest version.

• nette/application >=3.0.6
• nette/application >=2.4.16
• nette/application >=2.3.14
• nette/application >=2.2.10
• nette/nette >= 2.1.13
• nette/nette >= 2.0.19

Add a new dependency roave/security-advisories into the project

Third-party patch tools

• PHP tool by @dg
• Bash tool by @spaze

Description

List of tested vulnerabilities:

• file_put_contents
• Nette\Utils\FileSystem::write
• shell_exec

Requiments

• Python 3.x

Usage

git clone https://github.com/filipsedivy/CVE-2020-15227
cd CVE-2020-15227
python main.py https://example.com

OR

wget https://github.com/filipsedivy/CVE-2020-15227/archive/master.zip
unzip master.zip
cd CVE-2020-15227-master
python main.py https://example.com

API

Example

from CVE_2020_1522 import CVE_2020_15227
# Disable verbose
cve = CVE_2020_15227(verbose=False)
# Response True or False
result = cve.run("https://example.com")
if result is True:
    print('Fuck! Confirmed vulnerability! :-( Need update composer')
else:
    print('Good night! Everything is okay. :)')

Related links

• cve.mitre.org - CVE-2020-15227
• blog.nette.org - CVE-2020–15227: Potential Remote Code Execution Vulnerability
• michalspacek.com - Don’t let security bugs catch you off guard
• blog.nette.org - CVE-2020–15227: Chyba potenciálně umožňující vzdálené spuštění kódu
• michalspacek.com - Ať vás bezpečnostní chyby nenachytají na švestkách
• phpfashion.com - Objevena první zranitelnost v Nette, aktualizujte!