lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 05 Dec 2013 20:34:59 +0100
From: Egidio Romano <research@...mainsecurity.com>
To: bugtraq@...urityfocus.com
Subject: [KIS-2013-10] openSIS <= 5.2 (ajax.php) PHP Code Injection
 Vulnerability

----------------------------------------------------------
openSIS <= 5.2 (ajax.php) PHP Code Injection Vulnerability
----------------------------------------------------------


[-] Software Link:

http://www.opensis.com/


[-] Affected Versions:

All versions from 4.5 to 5.2.


[-] Vulnerability Description:

The vulnerable code is located in the /ajax.php script:

86.	if(clean_param($_REQUEST['modname'],PARAM_NOTAGS))
87.	{
88.		if($_REQUEST['_openSIS_PDF']=='true')
89.			ob_start();
90.		if(strpos($_REQUEST['modname'],'?')!==false)
91.		{
92.			$vars =  
substr($_REQUEST['modname'],(strpos($_REQUEST['modname'],'?')+1));
93.			$modname =  
substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?'));
94.
95.			$vars = explode('?',$vars);
96.			foreach($vars as $code)
97.			{
98.				$code =  
decode_unicode_url("\$_REQUEST['".str_replace('=',"']='",$code)."';");
99.				eval($code);
100.			}
101.		}

User input passed through the "modname" request variable is not  
properly sanitized before being used in
a call to the eval() function at line 99. This can be exploited to  
inject and execute arbitrary PHP code.


[-] Solution:

As of December 5th, 2013 the only solution is this patch:  
http://sourceforge.net/p/opensis-ce/code/1009


[-] Disclosure Timeline:

[04/12/2012] - Issue reported to http://sourceforge.net/p/opensis-ce/bugs/59/
[28/12/2012] - Vendor contacted, replied that the next version will  
fix the issue
[12/01/2013] - CVE number requested
[14/01/2013] - CVE number assigned
[26/04/2013] - Version 5.2 released, however the issue isn't fixed yet
[12/05/2013] - Vendor contacted again
[15/05/2013] - Issue temporarily fixed in the SVN repository (r1009)
[04/12/2013] - After one year still no official solution available


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1349 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2013-10


Powered by blists - more mailing lists