This update includes 6 new modules, including exploits for GroundWork, phpMyAdmin, Wordpress W3 Total Cache and SAP. It also includes auxiliary modules for SAP and Apple Safari.
In addition, this update fixes 2 reported issues.
- GroundWork monarch_scan.cgi OS Command Injection by juan vazquez and Johannes Greil exploits OSVDB-91051
- phpMyAdmin Authenticated Remote Code Execution via preg_replace() by Ben Campbell and Janek "waraxe" Vind exploits CVE-2013-3238
- Wordpress W3 Total Cache PHP Code Execution by juan vazquez, hdm, Christian Mehlmauer, and Unknown exploits OSVDB-92652
- SAP ConfigServlet Remote Code Execution by Andras Kabai and Dmitry Chastuhin exploits OSVDB-92704
Auxiliary and post modules
- SAP ConfigServlet OS Command Execution by Andras Kabai and Dmitry Chastuhin exploits OSVDB-92704
- Apple Safari .webarchive File Format UXSS by joev
- 7875 - Fix an issue where the badblue_passthru module would sometimes crash the target host.
- Fixed an issue that could prevent Metasploit Pro from talking to the Metasploit updates server (updates.metasploit.com) when the Metasploit service daemon was originally started without an active internet connection.
How to Upgrade
Metasploit Pro is upgraded using the Administration menu and choosing the option Software Upgrade. To see how to upgrade your Metasploit installation, view this video in the Rapid7 Community.
PRO 4.6.0 updates to 4.6.0-2013050101
MSF3 4.6.0 updates to 4.6.0-2013050101