Vanilla Forums 2.0.18.5 Local File Inclusion

2013.10.08
Credit: Egidio Romano
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2013-3528
CWE: CWE-98


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

------------------------------------------------------------------------------------------- Vanilla Forums <= 2.0.18.5 (class.utilitycontroller.php) PHP Object Injection Vulnerability ------------------------------------------------------------------------------------------- [-] Software Link: http://vanillaforums.org/ [-] Affected Versions: All versions from 2.0 to 2.0.18.5. [-] Vulnerability Description: The vulnerable code is located in /applications/dashboard/controllers/class.utilitycontroller.php: 316. // Get the message, response, and transientkey 317. $Messages = TrueStripSlashes(GetValue('Messages', $_POST)); 318. $Response = TrueStripSlashes(GetValue('Response', $_POST)); 319. $TransientKey = GetIncomingValue('TransientKey', ''); 320. 321. // If the key validates 322. $Session = Gdn::Session(); 323. if ($Session->ValidateTransientKey($TransientKey)) { 324. // If messages wasn't empty 325. if ($Messages != '') { 326. // Unserialize them & save them if necessary 327. $Messages = Gdn_Format::Unserialize($Messages); [...] 358. // If the response wasn't empty, save it in the config 359. if ($Response != '') 360. $Save['Garden.RequiredUpdates'] = Gdn_Format::Unserialize($Response); User input passed through the "Messages" and "Response" POST parameters is not properly sanitized before being used in a call to the "Gdn_Format::Unserialize" method at lines 327 and 360. This can be exploited to inject arbitrary PHP objects into the application scope, that could allow an attacker to conduct Local File Inclusion attacks by abusing the "Gdn_Module::__toString" method, which triggers a call to the "Gdn_Module::FetchView" method: 111. public function FetchView() { 112. $ViewPath = $this->FetchViewLocation(); 113. $String = ''; 114. ob_start(); 115. if(is_object($this->_Sender) && isset($this->_Sender->Data)) { 116. $Data = $this->_Sender->Data; 117. } else { 118. $Data = array(); 119. } 120. include ($ViewPath); The value returned by the "Gdn_Module::FetchViewLocation" method at line 112 can be controlled by the "_ApplicationFolder" object's property, which results in an arbitrary local file inclusion at line 120. Successful exploitation of the vulnerability using this vector requires the application running on PHP < 5.3.4, because it needs a null-byte injection attack. However, other attack vectors might be possible, e.g. leveraging magic methods of classes defined in third-party components. [-] Solution: Update to version 2.0.18.6 or higher. [-] Disclosure Timeline: [02/03/2013] - Vendor notified [22/03/2013] - Version 2.0.18.6 released: http://git.io/7EXdpQ [10/05/2013] - CVE number assigned [07/10/2013] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3528 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2013-09

References:

http://karmainsecurity.com/KIS-2013-09


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top