CVE-2009-20011
BaseFortify
Publication date: 2025-08-30
Last updated on: 2025-09-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| contentkeeper | contentkeeper_web_appliance | 125.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by sending a GET request to the vulnerable CGI script endpoint `/cgi-bin/ck/mimencode` and checking for a "500 Internal" server response, which indicates the presence of the vulnerability. For example, using curl: `curl -i http://<target-ip>/cgi-bin/ck/mimencode` and inspecting the HTTP status code. Additionally, monitoring for unusual POST requests uploading base64-encoded payloads to this endpoint may indicate exploitation attempts. [2]
Can you explain this vulnerability to me?
This vulnerability affects ContentKeeper Web Appliance versions prior to 125.10 and allows unauthenticated remote attackers to upload and execute arbitrary scripts on the server via the mimencode CGI utility. The exploit involves sending specially crafted requests to upload malicious payloads that run as the Apache user. Additionally, attackers can optionally escalate privileges to root by abusing insecure PATH usage in the benetool binary, enabling root-level access if successful. [1, 2]
How can this vulnerability impact me? :
The vulnerability can lead to remote code execution on the affected system without any authentication or user interaction. Attackers can execute arbitrary commands as the Apache user and potentially escalate privileges to root, resulting in full system compromise. This impacts confidentiality, integrity, and availability of the system, allowing attackers to control system components and security attributes. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the ContentKeeper Web Appliance to version 125.10 or later, where the vulnerability is fixed. If upgrading is not immediately possible, restrict access to the `/cgi-bin/ck/mimencode` CGI script by network controls such as firewall rules to prevent unauthenticated remote access. Also, monitor and block suspicious POST requests attempting to upload files to this endpoint. After any exploitation attempt, ensure to check and remove any unauthorized setuid root binaries (e.g., `/bin/bash` with setuid bit set) and restore original system files. [1, 2]