Login Sign Up

CVE-2014-5087

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on servers running vulnerable versions of Sphider Search Engine. Attackers can achieve remote code execution (RCE) by exploiting improper input validation in admin functions. Any organization using Sphider Search Engine versions prior to 1.3.6 is affected.

💻 Affected Systems

Products:
  • Sphider Search Engine
Versions: All versions prior to 1.3.6
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin access or ability to reach admin functions. The vulnerability is in admin/spiderfuncs.php file.

📦 What is this software?

Sphider by Sphider

View all CVEs affecting Sphider →

Sphider Plus by Sphider Plus

View all CVEs affecting Sphider Plus →

Sphider Pro by Sphiderpro

View all CVEs affecting Sphider Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to web server compromise, data theft, or website defacement.

🟢

If Mitigated

Limited impact if proper network segmentation, web application firewalls, and least privilege principles are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin access or ability to access admin functions. Public exploit code exists in Packet Storm references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.6 and later

Vendor Advisory: http://www.sphider.eu/

Restart Required: No

Instructions:

1. Download Sphider 1.3.6 or later from official site. 2. Backup current installation. 3. Replace all files with new version. 4. Verify admin/spiderfuncs.php has been updated.

🔧 Temporary Workarounds

Restrict admin access

all

Limit access to admin functions via IP whitelisting or authentication hardening

# Add to .htaccess for Apache: Order deny,allow
Deny from all
Allow from 192.168.1.0/24

Remove vulnerable file

linux

Temporarily remove or rename the vulnerable admin/spiderfuncs.php file

mv admin/spiderfuncs.php admin/spiderfuncs.php.disabled

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Sphider instance
  • Deploy web application firewall (WAF) with RCE protection rules

🔍 How to Verify

Check if Vulnerable:

Check if admin/spiderfuncs.php contains exec() calls without proper input validation

Check Version:

Check version.txt file or look for version information in Sphider configuration files

Verify Fix Applied:

Verify admin/spiderfuncs.php has been updated and exec() calls are properly sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual exec() calls in PHP logs
  • Suspicious admin access patterns
  • Unexpected system command execution

Network Indicators:

  • Unusual outbound connections from web server
  • Traffic to admin functions from unexpected sources

SIEM Query:

source="web_logs" AND ("exec(" OR "system(" OR "shell_exec(") AND uri="*/admin/spiderfuncs.php*"

📊 Metadata

CVE ID: CVE-2014-5087
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: February 7, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2014-5087, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2020-12388 10.0

This vulnerability allows attackers to escape Firefox's content process sandbox on Windows systems, ...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)