CVE-2011-2195 – CVE-2011-2195 is a critical remote code executi... (How to Fix)

Q: What is the severity of CVE-2011-2195?

CVE-2011-2195 has a CVSS score of 9.8 (CRITICAL). CVE-2011-2195 is a critical remote code execution vulnerability in WebSVN 2.3.2 that allows unauthenticated attackers to execute arbitrary commands on the underlying operating system. This affects WebSVN installations where the 'allowDownload' option is enabled in config.php. Attackers can exploit this by crafting malicious requests to the dl.php script.

📋 TL;DR

CVE-2011-2195 is a critical remote code execution vulnerability in WebSVN 2.3.2 that allows unauthenticated attackers to execute arbitrary commands on the underlying operating system. This affects WebSVN installations where the 'allowDownload' option is enabled in config.php. Attackers can exploit this by crafting malicious requests to the dl.php script.

💻 Affected Systems

Products:

WebSVN

Versions: 2.3.2 specifically (though other versions may be vulnerable if similarly configured)

Operating Systems: All operating systems running WebSVN

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when 'allowDownload' option is enabled in config.php. This is not the default configuration.

📦 What is this software?

Websvn by Websvn

View all CVEs affecting Websvn →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to web server compromise, data theft, or deployment of web shells for persistent access.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are implemented, though the vulnerability still exists.

🌐 Internet-Facing: HIGH - This is an unauthenticated RCE vulnerability that can be exploited remotely without any user interaction.

🏢 Internal Only: HIGH - Even internally, this provides an easy path for privilege escalation and lateral movement within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code. Attackers only need to craft a specific URL with the 'path' parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: WebSVN 2.3.3 and later

Vendor Advisory: https://websvn.tigris.org/issues/show_bug.cgi?id=219

Restart Required: No

Instructions:

1. Upgrade to WebSVN 2.3.3 or later. 2. Download from official WebSVN repository. 3. Replace existing installation files. 4. No service restart required as it's a PHP application.

🔧 Temporary Workarounds

Disable allowDownload option

all

Set allowDownload to false in config.php to prevent exploitation

Edit config.php and set: $config->setAllowDownload(false);

Restrict access to dl.php

all

Block direct access to the vulnerable dl.php script using web server configuration

For Apache: <Location /dl.php> Order deny,allow Deny from all </Location>
For Nginx: location = /dl.php { deny all; }

🧯 If You Can't Patch

Disable the 'allowDownload' option in config.php immediately
Implement network segmentation to isolate WebSVN server from critical systems
Add web application firewall rules to block requests to dl.php with suspicious path parameters

🔍 How to Verify

Check if Vulnerable:

Check config.php for $config->setAllowDownload(true); and verify WebSVN version is 2.3.2

Check Version:

Check the version in the WebSVN footer or examine the source code files for version markers

Verify Fix Applied:

Verify WebSVN version is 2.3.3 or later and ensure allowDownload is disabled or properly sanitized

📡 Detection & Monitoring

Log Indicators:

HTTP requests to dl.php with unusual path parameters
Commands being executed via web server process
Unusual process creation from web server user

Network Indicators:

HTTP requests containing shell metacharacters in path parameter
Outbound connections from web server to unexpected destinations

SIEM Query:

source="webserver.log" AND (uri="/dl.php" AND (path CONTAINS "|" OR path CONTAINS ";" OR path CONTAINS "`"))

📊 Metadata

CVE ID: CVE-2011-2195

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: October 26, 2021

Last Updated: November 21, 2024

🔗 References

https://seclists.org/bugtraq/2011/Jun/34 Exploit,Mailing List,Third Party Advisory
https://seclists.org/bugtraq/2011/Jun/34 Exploit,Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2011-2195, you might also want to check these: