This repository has been archived by the owner on Sep 8, 2023. It is now read-only.
Security Fix for Arbitrary Code Execution - huntr.dev #1123
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://huntr.dev/users/mufeedvh has fixed the Arbitrary Code Execution vulnerability 馃敤. mufeedvh has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 馃挼. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#2
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/packagist/codiad/1/README.md
User Comments:
馃搳 Metadata *
Bounty URL: https://www.huntr.dev/bounties/1-packagist-codiad
鈿欙笍 Description *
The project
Codiad
accepted aPOST
request to the file/path/components/install/process.php
where the parametertimezone
when given a PHP payload (eval()
), it will get executed after saving the config file (saveFile()
).馃捇 Technical Description *
The lack of validation of user input leads to Arbitrary Code Execution. The
POST
request parametertimezone
accepted on/components/install/process.php
wasn't sanitized/escaped to be passed into a PHP code execution function which when given a payload like:will give you a reverse shell on
/data/config.php?cmd=
=>https://example.com/data/config.php?cmd=cat /etc/passwd
.馃悰 Proof of Concept (PoC) *
POST Request to
/components/install/process.php
:馃敟 Proof of Fix (PoF) *
Escaped the input value with
preg_replace()
where it doesn't allow any PHP function/code to be executed. As it's atimezone
value, it will only accepts values like / make the value like:because it's passed to
date_default_timezone_set()
on line163
so it should accept values like the examples above.馃憤 User Acceptance Testing (UAT)
Escapes a user input with Regex to only accept timezone values, no other breaking changes are introduced.