Login Sign Up

CVE-2023-24736

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

PMB v7.4.6 contains a remote code execution vulnerability in the /sauvegarde/restaure_act.php component that allows attackers to execute arbitrary code on affected systems. This affects all organizations running vulnerable versions of PMB software with the vulnerable component accessible.

💻 Affected Systems

Products:
  • PMB (PhpMyBibli)
Versions: v7.4.6
Operating Systems: Linux, Windows, Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the backup restoration component which may be accessible if the PMB installation is exposed.

📦 What is this software?

Pmb by Sigb

View all CVEs affecting Pmb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Attackers gain shell access to the web server, allowing them to read sensitive files, modify content, and potentially escalate privileges to the underlying operating system.

🟢

If Mitigated

Limited impact due to network segmentation, proper access controls, and monitoring that detects exploitation attempts before successful compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The GitHub repository contains exploit code, making this easily weaponizable by attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

Check for official PMB updates or patches. If none available, implement workarounds immediately.

🔧 Temporary Workarounds

Disable vulnerable component

linux

Remove or restrict access to the /sauvegarde/restaure_act.php file

mv /path/to/pmb/sauvegarde/restaure_act.php /path/to/pmb/sauvegarde/restaure_act.php.disabled
chmod 000 /path/to/pmb/sauvegarde/restaure_act.php

Web server access restriction

all

Configure web server to block access to the vulnerable endpoint

# Apache: Add to .htaccess or virtual host config
<Location "/sauvegarde/restaure_act.php">
    Deny from all
</Location>
# Nginx: Add to server block
location = /sauvegarde/restaure_act.php {
    deny all;
    return 403;
}

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate PMB systems from critical infrastructure
  • Deploy web application firewall (WAF) rules to block requests to /sauvegarde/restaure_act.php

🔍 How to Verify

Check if Vulnerable:

Check if PMB version is 7.4.6 and if /sauvegarde/restaure_act.php is accessible via HTTP requests

Check Version:

Check PMB configuration files or database for version information, typically in includes/version.php or similar

Verify Fix Applied:

Test that /sauvegarde/restaure_act.php returns 403/404 error or is inaccessible

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /sauvegarde/restaure_act.php with suspicious parameters
  • Unusual process execution from web server user
  • File uploads or modifications in unexpected locations

Network Indicators:

  • HTTP POST requests to /sauvegarde/restaure_act.php with command-like parameters
  • Outbound connections from web server to suspicious IPs

SIEM Query:

source="web_server_logs" AND (uri="/sauvegarde/restaure_act.php" OR uri LIKE "%/sauvegarde/restaure_act.php%")

📊 Metadata

CVE ID: CVE-2023-24736
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: March 6, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON