Presentation

A SQL exploit is present in eonapi, the parameter is getApiKey. This injection allows to bypass the authentification and so allows anyone to login without any account.

Exploit

EONRCEv1

Impacted Version(s)

EON 5.3-0

Fixed Version(s)

EON 5.3-1

Fix

Download latest EON fixed version.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8656

http://packetstormsecurity.com/files/156266/EyesOfNetwork-5.3-Remote-Code-Execution.html

http://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.html

https://github.com/EyesOfNetworkCommunity/eonweb/issues/16