CVE-2014-125116
BaseFortify
Publication date: 2025-07-25
Last updated on: 2025-07-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hybridauth | hybridauth | 2.0.9 |
| hybridauth | hybridauth | 2.2.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2014-125116 is a critical remote code execution vulnerability in HybridAuth versions 2.0.9 through 2.2.2. It arises because the installation script 'install.php' remains accessible after deployment and improperly sanitizes user input before writing it into the application's 'config.php' file. An unauthenticated attacker can send specially crafted POST requests to 'install.php' to inject arbitrary PHP code into 'config.php'. When 'config.php' is later loaded by the application, the injected code executes, allowing the attacker to run arbitrary commands on the server. Exploiting this vulnerability overwrites the existing configuration, which can render the application non-functional. [1, 2, 4]
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to execute arbitrary PHP code on the server hosting HybridAuth, potentially leading to full remote code execution. This can result in unauthorized system command execution, data compromise, server takeover, and disruption of service. Additionally, exploitation overwrites the 'config.php' file, which can cause the application to become unusable until the configuration is restored. [1, 2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, check if the 'install.php' script is accessible on your HybridAuth installation and if the 'config.php' file is writable. You can use HTTP requests to verify the presence of 'install.php' and test if POST requests to it can modify 'config.php'. For example, use curl commands to check accessibility and test POST requests. Additionally, verify the HybridAuth version is between 2.0.9 and 2.2.2, which are vulnerable versions. Example commands: 1. Check if install.php is accessible: curl -I http://yourserver/path/to/hybridauth/install.php 2. Test if config.php is writable via install.php (non-destructive test recommended): curl -X POST -d 'testparam=testvalue' http://yourserver/path/to/hybridauth/install.php 3. Verify HybridAuth version in your application files or via package manager. Note: Exploit modules (e.g., Metasploit) perform these checks automatically by verifying the presence of 'install.php', writability of 'config.php', and version range. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Remove or restrict access to the 'install.php' script after installation to prevent attackers from exploiting it. 2. Ensure that 'config.php' is not writable by the web server user to prevent unauthorized modifications. 3. Upgrade HybridAuth to a version later than 2.2.2 where this vulnerability is fixed. 4. If removal of 'install.php' is not possible immediately, restrict access to it via web server configuration (e.g., IP whitelisting or authentication). These steps prevent unauthenticated attackers from injecting malicious PHP code into 'config.php' and executing remote code on the server. [1, 4]