'; } else{ echo ''; } echo 'Hillstone Networks'; } elseif ($_SERVER[HTTP_HOST] == "update1.huaantech.com.cn") { echo ''; echo 'huaantech'; } elseif ($_SERVER[HTTP_HOST] == "update1.dcnetworks.com.cn") { echo ''; echo 'dcnetworks'; } elseif ($_SERVER[HTTP_HOST] == "update1.w-ibeda.com") { if (false===strpos($_SERVER[REQUEST_URI],"/en/")) echo ''; else echo ''; echo 'w-ibeda'; } elseif ($_SERVER[HTTP_HOST] == "update1.hp-telecom.com") { echo ''; echo 'hp-telecom'; } elseif ($_SERVER[HTTP_HOST] == "update1.maipu.com") { echo ''; echo 'Maipu'; } elseif ($_SERVER[HTTP_HOST] == "update1.ncurity.com") { echo ''; echo 'Ncurity'; } elseif ($_SERVER[HTTP_HOST] == "update1.socusnetwork.com") { echo ''; echo 'Socusnetwork'; } else{ echo ''; echo 'Hillstone Networks'; } ?>
 
   
 

vul_app: phptax_pfilez_parameter_exec_remote_code_injection(Rule ID:1070210115)

Release Date2025/9/15

Rule NamePhpTax pfilez Parameter Exec Remote Code Injection Vulnerability

Severity:high

CVE ID

 

Descripiton

When generating a PDF, the icondrawpng() function in drawimage.php does not properly handle the pfilez parameter, which will be used in an exec() statement, and then results in arbitrary remote code execution under the context of the web server. This rule supports to defend the A6: Vulnerable and Outdated Components of OWASP Top 10 - 2021.
Other reference:None

 

Solution

Update vendor patches.