-
Notifications
You must be signed in to change notification settings - Fork 168
/
egroupware-1.8.005.txt
71 lines (56 loc) · 2.86 KB
/
egroupware-1.8.005.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
> Vulnerabilities in EGroupware 1.8.005
> Discovered by Pedro Ribeiro ([email protected]) of Agile Information Security
====================================================================
Disclosure: 19/02/2014 / Last updated: 12/10/2014
Vulnerability: PHP object insertion leading to all kinds of badness (arbitrary file deletion, possible code execution) (CVE-2014-2027)
File(line): egroupware/addressbook/csv_import.php(257,258)
File(line): egroupware/calendar/csv_import.php(277,278)
File(line): egroupware/projectmanager/csv_import.php(324,325)
File(line): egroupware/infolog/csv_import.php(336,337)
File(line): egroupware/preferences/inc/class.uiaclprefs.inc.php(108)
Code snippet:
egroupware/addressbook/csv_import.php(257,258):
case 'next':
$_POST['addr_fields'] = unserialize(stripslashes($_POST['addr_fields']));
$_POST['trans'] = unserialize(stripslashes($_POST['trans']));
egroupware/calendar/csv_import.php(277,278):
case 'next':
$_POST['cal_fields'] = unserialize(stripslashes($_POST['cal_fields']));
$_POST['trans'] = unserialize(stripslashes($_POST['trans']));
egroupware/projectmanager/csv_import.php(324,325):
egroupware/infolog/csv_import.php(336,337):
case 'next':
$_POST['info_fields'] = unserialize(stripslashes($_POST['info_fields']));
$_POST['trans'] = unserialize(stripslashes($_POST['trans']));
egroupware/preferences/inc/class.uiaclprefs.inc.php(108):
if ($_POST['save'] || $_POST['apply'])
{
$processed = $_POST['processed'];
$to_remove = unserialize(urldecode($processed));
Arbitrary file overwrite in __destruct:
egroupware/etemplate/inc/class.etemplate_request_files.inc.php
140 function __destruct()
141 {
142 if ($this->remove_if_not_modified && !$this->data_modified)
143 {
144 //error_log(__METHOD__."() destroying $this->id");
145 @unlink(self::$directory.'/'.$this->id);
146 }
147 elseif (!$this->destroyed && $this->data_modified &&
148 !file_put_contents($filename = self::$directory.'/'.$this->id,serialize($this->data)))
149 {
150 error_log("Error opening '$filename' to store the etemplate request data!");
151 }
152 }
Comment:
User input is passed directly into unserialize(), leading to object insertion, arbitrary file deletion and possible code execution.
There are lots of classes with exploitable magic methods, and the above is just an example.
References:
https://www.owasp.org/index.php/PHP_Object_Injection
http://www.alertlogic.com/writing-exploits-for-exotic-bug-classes/
http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf
http://vagosec.org/2013/12/wordpress-rce-exploit/
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>