CVE-2020-15227

DISCLAIMER! I take no responsibility of using it in wild life environment so please do NOT do it. This thingy is just to demonstrate and for test things for sysadmins

---

This tool tests for vulnerability in nette/application.

How to fix the vulnerability

Composer

Update dependency to the latest version.

• nette/application >=3.0.6
• nette/application >=2.4.16
• nette/application >=2.3.14
• nette/application >=2.2.10
• nette/nette >= 2.1.13
• nette/nette >= 2.0.19

Add a new dependency roave/security-advisories into the project

Third-party patch tools

• PHP tool by @dg
• Bash tool by @spaze

Description

List of tested vulnerabilities:

• file_put_contents
• Nette\Utils\FileSystem::write
• shell_exec

Requiments

• Python 3.x

Usage

git clone https://github.com/filipsedivy/CVE-2020-15227
cd CVE-2020-15227
python main.py https://example.com

OR

wget https://github.com/filipsedivy/CVE-2020-15227/archive/master.zip
unzip master.zip
cd CVE-2020-15227-master
python main.py https://example.com

API

Example

from CVE_2020_1522 import CVE_2020_15227

# Disable verbose
cve = CVE_2020_15227(verbose=False)

# Response True or False
result = cve.run("https://example.com")

if result is True:
    print('Fuck! Confirmed vulnerability! :-( Need update composer')
else:
    print('Good night! Everything is okay. :)')

Related links

• cve.mitre.org - CVE-2020-15227
• blog.nette.org - CVE-2020–15227: Potential Remote Code Execution Vulnerability
• michalspacek.com - Don't let security bugs catch you off guard
• blog.nette.org - CVE-2020–15227: Chyba potenciálně umožňující vzdálené spuštění kódu
• michalspacek.com - Ať vás bezpečnostní chyby nenachytají na švestkách
• phpfashion.com - Objevena první zranitelnost v Nette, aktualizujte!