Klog Server 漏洞列表

Klog Server 2.4.1 and prior is susceptible to an unauthenticated command injection vulnerability. The `authenticate.php` file uses the `user` HTTP POST parameter in a call to the `shell_exec()` PHP function without appropriate input validation, allowing arbitrary command execution as the apache user. The sudo configuration permits the Apache user to execute any command as root without providing a password, resulting in privileged command execution as root. Originated from Metasploit module, copyright (c) space-r7.

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Komtera Technolgies KLog Server allows Manipulating Web Input to File System Calls.This issue affects KLog Server: before 3.1.1.

Klog Server 2.4.1 and prior is susceptible to an unauthenticated command injection vulnerability. The `authenticate.php` file uses the `user` HTTP POST parameter in a call to the `shell_exec()` PHP function without appropriate input validation, allowing arbitrary command execution as the apache user. The sudo configuration permits the Apache user to execute any command as root without providing a password, resulting in privileged command execution as root. Originated from Metasploit module, copyright (c) space-r7.

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Komtera Technolgies KLog Server allows Manipulating Web Input to File System Calls.This issue affects KLog Server: before 3.1.1.

KLog Server contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.

KLog是ZhaoKaiQiang（KLog）个人开发者的一款用于安卓开发的日志工具。该工具主要功能为打印行号、函数调用、Json解析、XML解析、点击跳转、Log信息保存等功能。KLog Server through2.4.1存在命令注入漏洞，该漏洞源于程序允许通过认证的命令注入。async.php在源参数的原始值上调用shell_exec()。