----------------------------------------------------------
openSIS <= 5.2 (ajax.php) PHP Code Injection Vulnerability
----------------------------------------------------------
[-] Software Link:
http://www.opensis.com/
[-] Affected Versions:
All versions from 4.5 to 5.2.
[-] Vulnerability Description:
The vulnerable code is located in the /ajax.php script:
86. if(clean_param($_REQUEST['modname'],PARAM_NOTAGS))
87. {
88. if($_REQUEST['_openSIS_PDF']=='true')
89. ob_start();
90. if(strpos($_REQUEST['modname'],'?')!==false)
91. {
92. $vars =
substr($_REQUEST['modname'],(strpos($_REQUEST['modname'],'?')+1));
93. $modname =
substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?'));
94.
95. $vars = explode('?',$vars);
96. foreach($vars as $code)
97. {
98. $code =
decode_unicode_url("\$_REQUEST['".str_replace('=',"']='",$code)."';");
99. eval($code);
100. }
101. }
User input passed through the "modname" request variable is not
properly sanitized before being used in
a call to the eval() function at line 99. This can be exploited to
inject and execute arbitrary PHP code.
[-] Solution:
As of December 5th, 2013 the only solution is this patch:
http://sourceforge.net/p/opensis-ce/code/1009
[-] Disclosure Timeline:
[04/12/2012] - Issue reported to http://sourceforge.net/p/opensis-ce/bugs/59/
[28/12/2012] - Vendor contacted, replied that the next version will
fix the issue
[12/01/2013] - CVE number requested
[14/01/2013] - CVE number assigned
[26/04/2013] - Version 5.2 released, however the issue isn't fixed yet
[12/05/2013] - Vendor contacted again
[15/05/2013] - Issue temporarily fixed in the SVN repository (r1009)
[04/12/2013] - After one year still no official solution available
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1349 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2013-10
Related Posts
Exclusive Updates from 'The Hacker News'20 Jan 20141p {margin:0;} .desc img {width:auto;height:auto;max-width:175px;float:right;padding:0 0 0 10px;} ...Read more »
Opencart Multiple Vulnerabilities06 Dec 20131########################################################################### # Title: Opencart Multip...Read more »
- [slackware-security] hplip (SSA:2013-339-04)05 Dec 20130
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] hplip (SSA:2013-339-04) New hp...Read more »
- [slackware-security] seamonkey (SSA:2013-339-03)05 Dec 20130
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] seamonkey (SSA:2013-339-03) Ne...Read more »
- [slackware-security] mozilla-thunderbird (SSA:2013-339-02)05 Dec 20130
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] mozilla-thunderbird (SSA:2013-3...Read more »
Subscribe to:
Post Comments (Atom)
0 komentar:
Post a Comment
Click to see the code!
To insert emoticon you must added at least one space before the code.