openSIS 5.2 PHP Code Injection

2013-12-08 / 2013-12-24
Credit: Egidio Romano
Risk: High
Local: No
Remote: Yes
CWE: CWE-94


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

---------------------------------------------------------- openSIS <= 5.2 (ajax.php) PHP Code Injection Vulnerability ---------------------------------------------------------- [-] Software Link: http://www.opensis.com/ [-] Affected Versions: All versions from 4.5 to 5.2. [-] Vulnerability Description: The vulnerable code is located in the /ajax.php script: 86. if(clean_param($_REQUEST['modname'],PARAM_NOTAGS)) 87. { 88. if($_REQUEST['_openSIS_PDF']=='true') 89. ob_start(); 90. if(strpos($_REQUEST['modname'],'?')!==false) 91. { 92. $vars = substr($_REQUEST['modname'],(strpos($_REQUEST['modname'],'?')+1)); 93. $modname = substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?')); 94. 95. $vars = explode('?',$vars); 96. foreach($vars as $code) 97. { 98. $code = decode_unicode_url("\$_REQUEST['".str_replace('=',"']='",$code)."';"); 99. eval($code); 100. } 101. } User input passed through the "modname" request variable is not properly sanitized before being used in a call to the eval() function at line 99. This can be exploited to inject and execute arbitrary PHP code. [-] Solution: As of December 5th, 2013 the only solution is this patch: http://sourceforge.net/p/opensis-ce/code/1009 [-] Disclosure Timeline: [04/12/2012] - Issue reported to http://sourceforge.net/p/opensis-ce/bugs/59/ [28/12/2012] - Vendor contacted, replied that the next version will fix the issue [12/01/2013] - CVE number requested [14/01/2013] - CVE number assigned [26/04/2013] - Version 5.2 released, however the issue isn't fixed yet [12/05/2013] - Vendor contacted again [15/05/2013] - Issue temporarily fixed in the SVN repository (r1009) [04/12/2013] - After one year still no official solution available [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1349 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2013-10

References:

http://karmainsecurity.com/KIS-2013-10
http://cxsecurity.com/issue/WLB-2013120162


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top