[原文]The StateToOptions function in msfweb in Metasploit Framework 2.4 and earlier, when running with the -D option (defanged mode), allows attackers to modify temporary environment variables before the "_Defanged" environment option is checked when processing the Exploit command.
The msfweb component of the Metasploit Framework contains a flaw that allows a remote attacker to bypass "defanged mode" security restrictions. The issue is due to a logic error in the msfweb server, allowing a remote user to overwrite the internal "_Defanged" environment variable before the security check is performed.
Upgrade to version 2.4-current or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.