OpenPNE <= 3.8.9 (opSecurityUser.class.php) PHP Object Injection Vulnerability

2014.11.30
Credit: Egidio Romano
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


Ogólna skala CVSS: 7.5/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

OpenPNE <= 3.8.9 (opSecurityUser.class.php) PHP Object Injection Vulnerability Software Link: http://www.openpne.jp/ Affected Versions: All versions from 3.6.0 to 3.6.13. All versions from 3.8.0 to 3.8.9. Vulnerability Description: The vulnerable code is located in the getRememberLoginCookie() method defined in /lib/user/opSecurityUser.class.php: protected function getRememberLoginCookie() { $key = md5(sfContext::getInstance()->getRequest()->getHost()); if ($value = sfContext::getInstance()->getRequest()->getCookie($key)) { $value = unserialize(base64_decode($value)); return $value; } } User input passed through cookies is not properly sanitized before being used in an unserialize() call at line 150. This could be exploited to delete arbitrary files or execute arbitrary PHP code via specially crafted serialized objects sent in a &#8220;Cookie&#8221; header. Solution: Update to version 3.6.13.1 or 3.8.9.1. Disclosure Timeline: [20/11/2013] Vendor notified [16/12/2013] Vendor acknowledges report and states fixed releases planned for January 2014 [27/12/2013] Vendor creates patches and states fixed releases planned for January 20, 2014 [08/01/2014] Vulnerability details sent to IPA Security Center [20/01/2014] Vendor released fixed versions [20/01/2014] Public disclosure CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-5350 to this vulnerability.

Referencje:

http://www.openpne.jp/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top