Summary
Memcached text protocol injection via key names when using the raw socket fallback client, and no authentication by default which exposes all destructive operations.
Findings
1. No Authentication by Default (CRITICAL)
index.php:34-41 — Auth is entirely optional and disabled by default (commented out in config.dist.php). Docker deployments ship without authentication, exposing: flushDB(), key deletion, key creation/modification, phpinfo(), Redis CONFIG SET, import/export. Particularly dangerous with Docker where -p 8080:80 could be publicly exposed.
2. Memcached Protocol Injection via Key Names (HIGH)
src/Dashboards/Memcached/PHPMem.php:69-113 — The raw socket client constructs Memcached text protocol commands by concatenating user-supplied key names:
$raw = $this->runCommand('set '.$key.' 0 '.$expiration.' '.strlen($value)."\r\n".$value);
$raw = $this->runCommand('get '.$key);
$this->runCommand('delete '.$key);runCommand() (line 422) converts literal \r\n to actual CRLF via strtr(), enabling protocol injection. Keys come from Http::post('key') with FILTER_UNSAFE_RAW which does NOT sanitize CRLF. An attacker can inject arbitrary Memcached commands (e.g., flush_all).
3. Memcached Value Injection (HIGH)
PHPMem.php:74-75 — Values in set commands also pass through strtr() CRLF conversion, desynchronizing the protocol framing when values contain literal \r\n strings.
4. phpinfo() Disclosure (MEDIUM)
src/Dashboards/Server/ServerTrait.php:53-59 — Full phpinfo() output exposed without auth, including ENV variables which may contain PCA_REDIS_0_PASSWORD and other credentials.
5. No CSRF Protection (MEDIUM)
Zero CSRF tokens anywhere in the codebase. All destructive operations (flush, delete, CONFIG SET) can be triggered by cross-origin requests.
Recommended Fix
- Enable authentication by default in Docker image and config
- Sanitize key names to reject CRLF characters before building Memcached commands
- Add CSRF token validation
Summary
Memcached text protocol injection via key names when using the raw socket fallback client, and no authentication by default which exposes all destructive operations.
Findings
1. No Authentication by Default (CRITICAL)
index.php:34-41— Auth is entirely optional and disabled by default (commented out inconfig.dist.php). Docker deployments ship without authentication, exposing:flushDB(), key deletion, key creation/modification,phpinfo(), Redis CONFIG SET, import/export. Particularly dangerous with Docker where-p 8080:80could be publicly exposed.2. Memcached Protocol Injection via Key Names (HIGH)
src/Dashboards/Memcached/PHPMem.php:69-113— The raw socket client constructs Memcached text protocol commands by concatenating user-supplied key names:runCommand()(line 422) converts literal\r\nto actual CRLF viastrtr(), enabling protocol injection. Keys come fromHttp::post('key')withFILTER_UNSAFE_RAWwhich does NOT sanitize CRLF. An attacker can inject arbitrary Memcached commands (e.g.,flush_all).3. Memcached Value Injection (HIGH)
PHPMem.php:74-75— Values insetcommands also pass throughstrtr()CRLF conversion, desynchronizing the protocol framing when values contain literal\r\nstrings.4. phpinfo() Disclosure (MEDIUM)
src/Dashboards/Server/ServerTrait.php:53-59— Fullphpinfo()output exposed without auth, including ENV variables which may containPCA_REDIS_0_PASSWORDand other credentials.5. No CSRF Protection (MEDIUM)
Zero CSRF tokens anywhere in the codebase. All destructive operations (flush, delete, CONFIG SET) can be triggered by cross-origin requests.
Recommended Fix