ExpressionEngine 6.0.2 PHP Code Injection ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on March 16th, 2021 📆 | 4032 Views ⚑

0

ExpressionEngine 6.0.2 PHP Code Injection ≈ Packet Storm

—————————————————————————-
ExpressionEngine < = 6.0.2 (Translate::save) PHP Code Injection
Vulnerability
—————————————————————————- [-] Software Link:

https://expressionengine.com/

[-] Affected Versions:

Version 6.0.2 and prior versions.
Version 5.4.1 and prior versions.

[-] Vulnerability Description:

The vulnerable code is located in the
“ExpressionEngineControllerUtilitiesTranslate::save()” method:

362. private function save($language, $file)
363. {
364.
365. $file = ee()->security->sanitize_filename($file);
366.
367. $dest_dir = $this->languages_dir . $language . ‘/’;
368. $filename = $file . ‘_lang.php’;
369. $dest_loc = $dest_dir . $filename;
370.
371. $str = ‘< ?php' . "n" . '$lang = array(' . "nnn";
372.
373. ee()->lang->loadfile($file);
374.
375. foreach ($_POST as $key => $val) {
376. $val = str_replace(‘377. $val = str_replace(‘378. $val = str_replace(array(“\”, “‘”), array(“\\”,
“‘”), $val);
379.
380. $str .= ”’ . $key . ” => ‘ . “n” . ”’ . $val
. ”’ . “,nn”;
381. }
382.
383. $str .= “”=>”n);nn”;
384. $str .= “// End of File”;

[…]

400. $this->load->helper(‘file’);
401.
402. if (write_file($dest_loc, $str)) {
403. ee(‘CP/Alert’)->makeInline(‘shared-form’)
404. ->asSuccess()
405. ->withTitle(lang(‘translations_saved’))
406. ->addToBody(sprintf(lang(‘file_saved’),
$dest_loc))
407. ->defer();

User input passed via keys of POST parameters is not properly sanitized
before being assigned
to the “$str” variable at line 380. Such a variable will be used in a
call to the “write_file()”
function at line 402, trying to write user supplied content into the
/system/user/language/[lang]/[file]_lang.php file. This can be exploited
to inject and execute arbitrary PHP code. Successful exploitation of
this vulnerability requires an account with
permissions to access the CP translation system utilities.

[-] Solution:

Upgrade to version 6.0.3, 5.4.2, or later.

[-] Disclosure Timeline:

[03/02/2021] – Vendor notified through HackerOne
[15/02/2021] – Vulnerability acknowledged by the vendor
[16/02/2021] – CVE number assigned
[17/02/2021] – Version 6.0.3 released
[04/03/2021] – Version 5.4.2 released
[15/03/2021] – Public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2021-27230 to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano.

[-] Other References:

https://hackerone.com/reports/1093444

[-] Original Advisory:

http://karmainsecurity.com/KIS-2021-03

Source link

Tagged with:



Leave a Reply