lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 07 Oct 2013 08:01:22 +0200
From: Egidio Romano <research@...mainsecurity.com>
To: bugtraq@...urityfocus.com
Subject: [KIS-2013-09] Vanilla Forums <= 2.0.18.5 (class.utilitycontroller.php)
 PHP Object Injection Vulnerability

-------------------------------------------------------------------------------------------
Vanilla Forums <= 2.0.18.5 (class.utilitycontroller.php) PHP Object 
Injection Vulnerability
-------------------------------------------------------------------------------------------


[-] Software Link:

http://vanillaforums.org/


[-] Affected Versions:

All versions from 2.0 to 2.0.18.5.


[-] Vulnerability Description:

The vulnerable code is located in 
/applications/dashboard/controllers/class.utilitycontroller.php:

316.	      // Get the message, response, and transientkey
317.	      $Messages = TrueStripSlashes(GetValue('Messages', $_POST));
318.	      $Response = TrueStripSlashes(GetValue('Response', $_POST));
319.	      $TransientKey = GetIncomingValue('TransientKey', '');
320.	
321.	      // If the key validates
322.	      $Session = Gdn::Session();
323.	      if ($Session->ValidateTransientKey($TransientKey)) {
324.	         // If messages wasn't empty
325.	         if ($Messages != '') {
326.	            // Unserialize them & save them if necessary
327.	            $Messages = Gdn_Format::Unserialize($Messages);

[...]

358.	         // If the response wasn't empty, save it in the config
359.	         if ($Response != '')
360.	            $Save['Garden.RequiredUpdates'] = 
Gdn_Format::Unserialize($Response);

User input passed through the "Messages" and "Response" POST parameters 
is not properly sanitized
before being used in a call to the "Gdn_Format::Unserialize" method at 
lines 327 and 360. This can
be exploited to inject arbitrary PHP objects into the application scope, 
that could allow an attacker
to conduct Local File Inclusion attacks by abusing the 
"Gdn_Module::__toString" method, which triggers
a call to the "Gdn_Module::FetchView" method:

111.	   public function FetchView() {
112.	      $ViewPath = $this->FetchViewLocation();
113.	      $String = '';
114.	      ob_start();
115.	      if(is_object($this->_Sender) && isset($this->_Sender->Data)) {
116.	         $Data = $this->_Sender->Data;
117.	      } else {
118.	         $Data = array();
119.	      }
120.	      include ($ViewPath);

The value returned by the "Gdn_Module::FetchViewLocation" method at line 
112 can be controlled by the
"_ApplicationFolder" object's property, which results in an arbitrary 
local file inclusion at line 120.
Successful exploitation of the vulnerability using this vector requires 
the application running on
PHP < 5.3.4, because it needs a null-byte injection attack. However, 
other attack vectors might
be possible, e.g. leveraging magic methods of classes defined in 
third-party components.


[-] Solution:

Update to version 2.0.18.6 or higher.


[-] Disclosure Timeline:

[02/03/2013] - Vendor notified
[22/03/2013] - Version 2.0.18.6 released: http://git.io/7EXdpQ
[10/05/2013] - CVE number assigned
[07/10/2013] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-3528 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2013-09

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ