CVE-2019-19509
Description
An issue was discovered in rConfig 3.9.3. A remote authenticated user can directly execute system commands by sending a GET request to ajaxArchiveFiles.php because the path parameter is passed to the exec function without filtering, which can lead to command execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
rConfig 3.9.3 allows authenticated remote command execution via unsanitized path parameter in ajaxArchiveFiles.php.
Vulnerability
In rConfig 3.9.3, the ajaxArchiveFiles.php endpoint passes the path parameter directly to the exec() function without any sanitization or validation. This allows an authenticated user to inject arbitrary system commands via a crafted GET request. The vulnerability is present in versions up to and including 3.9.3, as described in the CVE [1].
Exploitation
An attacker must have valid credentials to authenticate with the rConfig web interface. Once authenticated, they send a GET request to ajaxArchiveFiles.php with a malicious path parameter containing shell metacharacters (e.g., semicolons or backticks). For example, a request like ajaxArchiveFiles.php?path=;id; will execute the id command. A public exploit script is available in reference [1].
Impact
Successful exploitation allows the attacker to execute arbitrary operating system commands with the privileges of the web server process. This can lead to full system compromise, including data exfiltration, lateral movement, and potential persistence. The attack does not require any user interaction beyond authentication.
Mitigation
As of the publication date (2020-01-06), no official patch has been released by rConfig for version 3.9.3. Users are advised to restrict access to the affected endpoint, implement input validation via a web application firewall, or upgrade to a newer version if available [1]. At minimum, the exec() call should be replaced with safer alternatives and the path parameter should be strictly validated against an allowlist.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- rConfig/rConfigdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- packetstormsecurity.com/files/156146/rConfig-3.9.3-Remote-Code-Execution.htmlmitrex_refsource_MISC
- packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.htmlmitrex_refsource_MISC
- packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.htmlmitrex_refsource_MISC
- github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2019-19509.pymitrex_refsource_MISC
- raw.githubusercontent.com/v1k1ngfr/exploits/master/rconfig_exploit.pymitrex_refsource_MISC
News mentions
0No linked articles in our index yet.