CVE-2014-1683 Information

Description

The bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php in SkyBlueCanvas CMS before 1.1 r248-04 when the pid parameter is 4 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) name (2) email (3) subject or (4) message parameter to index.php.

Reference

http://packetstormsecurity.com/files/124948/SkyBlueCanvas-CMS-1.1-r248-03-Command-Injection.html http://seclists.org/fulldisclosure/2014/Jan/159 http://secunia.com/advisories/56646 http://www.exploit-db.com/exploits/31183 http://www.exploit-db.com/exploits/31432 http://www.securityfocus.com/bid/65129 https://exchange.xforce.ibmcloud.com/vulnerabilities/90670