Contao CMS <= 3.2.5 PHP object insertion

2014.02.03
Credit: Pedro Ribeiro
Risk: High
Local: No
Remote: Yes
CWE: N/A

Hi, I have discovered a vulnerability that might lead to code execution in Contao CMS <= 3.2.4 Contao CMS <= 3.2.4 does not properly validate user input in several locations which is then passed directly into PHP's unserialize. This has been fixed in Contao 2.3.5 as per commit: https://github.com/contao/core/commit/8c9cb044bdc887a8202bb65a64545c025664f957 and https://github.com/contao/core/commit/1717336598fdcf1ed3f4ad488e140147cb31516d Announcements can be found at https <https://contao.org/en/news/contao-3_2_5.html>://<https://contao.org/en/news/contao-3_2_5.html> contao.org <https://contao.org/en/news/contao-3_2_5.html>/<https://contao.org/en/news/contao-3_2_5.html> en <https://contao.org/en/news/contao-3_2_5.html>/news/<https://contao.org/en/news/contao-3_2_5.html> contao <https://contao.org/en/news/contao-3_2_5.html>-3_2_5.<https://contao.org/en/news/contao-3_2_5.html> html <https://contao.org/en/news/contao-3_2_5.html> https <https://contao.org/en/news/contao-2_11_14.html>://<https://contao.org/en/news/contao-2_11_14.html> contao.org <https://contao.org/en/news/contao-2_11_14.html>/<https://contao.org/en/news/contao-2_11_14.html> en <https://contao.org/en/news/contao-2_11_14.html>/news/<https://contao.org/en/news/contao-2_11_14.html> contao <https://contao.org/en/news/contao-2_11_14.html>-2_11_14.<https://contao.org/en/news/contao-2_11_14.html> html <https://contao.org/en/news/contao-2_11_14.html> Thanks to the Contao developers for being so responsive. The full report can be found at my repo in https://github.com/pedrib/PoC/blob/master/contao-3.2.4.txt Can you please assign a CVE for the vulnerability described above? Thanks in advance. Regards, Pedro Ribeiro Agile Information Security

References:

http://seclists.org/oss-sec/2014/q1/233


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top