lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 05 Feb 2014 23:13:29 +0100
From: Egidio Romano <research@...mainsecurity.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [CVE-2014-1860] PHP object insertion /
 possible RCE in Contao CMS <= 3.2.4

Hello,

I believe this CVE should be rejected, because the vulnerabilities
actually don't exist, at least the ones mentioned in this report.

The reason is that user input is passed to the unserialize() function
through the Contao Input class, in which the Input::xssClean() method
removes all the NULL bytes from user input, meaning that an attacker can
be able to manipulate only the *public* properties of the injected
objects, because *protected* and *private* properties of a serialized
object are encoded with NULL bytes.

I haven't found any exploitable magic method in Contao which uses only
*public* properties, and the ones mentioned in the original report are
exploitable only through *protected* properties.

Therefore, unless someone provides a working Proof of Concept, I think
these shouldn't be considered actual security vulnerabilities.

Best Ragards,
Egidio Romano

>
> Hi,
>
> I have discovered a vulnerability that might lead to code execution in
> Contao CMS <= 3.2.4
> Contao CMS <= 3.2.4 does not properly validate user input in several
> locations which is then passed directly into PHP's unserialize.
>
> This has been fixed in Contao 3.2.5 as per commit:
>
https://github.com/contao/core/commit/8c9cb044bdc887a8202bb65a64545c025664f957
> and
>
https://github.com/contao/core/commit/1717336598fdcf1ed3f4ad488e140147cb31516d
>
> Announcements can be found at
>
> https://contao.org/en/news/contao-3_2_5.html
>
> https://contao.org/en/news/contao-2_11_14.html
>
> Thanks to the Contao developers for being so responsive.
> The full report can be found at my repo in
> https://github.com/pedrib/PoC/blob/master/contao-3.2.4.txt
>
> Regards,
>
> Pedro Ribeiro
> Agile Information Security
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists