ExpressionEngine 6.0.2 PHP Code Injection

2021.03.17
Credit: EgiX
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-94


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

---------------------------------------------------------------------------- ExpressionEngine <= 6.0.2 (Translate::save) PHP Code Injection Vulnerability ---------------------------------------------------------------------------- [-] Software Link: https://expressionengine.com/ [-] Affected Versions: Version 6.0.2 and prior versions. Version 5.4.1 and prior versions. [-] Vulnerability Description: The vulnerable code is located in the "ExpressionEngine\Controller\Utilities\Translate::save()" method: 362. private function save($language, $file) 363. { 364. 365. $file = ee()->security->sanitize_filename($file); 366. 367. $dest_dir = $this->languages_dir . $language . '/'; 368. $filename = $file . '_lang.php'; 369. $dest_loc = $dest_dir . $filename; 370. 371. $str = '<?php' . "\n" . '$lang = array(' . "\n\n\n"; 372. 373. ee()->lang->loadfile($file); 374. 375. foreach ($_POST as $key => $val) { 376. $val = str_replace('<script', '', $val); 377. $val = str_replace('<iframe', '', $val); 378. $val = str_replace(array("\\", "'"), array("\\\\", "\'"), $val); 379. 380. $str .= '\'' . $key . '\' => ' . "\n" . '\'' . $val . '\'' . ",\n\n"; 381. } 382. 383. $str .= "''=>''\n);\n\n"; 384. $str .= "// End of File"; [...] 400. $this->load->helper('file'); 401. 402. if (write_file($dest_loc, $str)) { 403. ee('CP/Alert')->makeInline('shared-form') 404. ->asSuccess() 405. ->withTitle(lang('translations_saved')) 406. ->addToBody(sprintf(lang('file_saved'), $dest_loc)) 407. ->defer(); User input passed via keys of POST parameters is not properly sanitized before being assigned to the "$str" variable at line 380. Such a variable will be used in a call to the "write_file()" function at line 402, trying to write user supplied content into the /system/user/language/[lang]/[file]_lang.php file. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires an account with permissions to access the CP translation system utilities. [-] Solution: Upgrade to version 6.0.3, 5.4.2, or later. [-] Disclosure Timeline: [03/02/2021] - Vendor notified through HackerOne [15/02/2021] - Vulnerability acknowledged by the vendor [16/02/2021] - CVE number assigned [17/02/2021] - Version 6.0.3 released [04/03/2021] - Version 5.4.2 released [15/03/2021] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2021-27230 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Other References: https://hackerone.com/reports/1093444 [-] Original Advisory: http://karmainsecurity.com/KIS-2021-03


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top