-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authenticated Remote Code Execute #342
Comments
Developer level users have complete code execution access (they can both write to the filesystem and use eval through field parsers) and they are the only ones able to access hooks. Am I misunderstanding and there's a way for regular users or admins to set hooks? |
Despite that, it got assigned CVE-2018-17030 =( |
As long as some social engineering methods are used to let developer level users set As a security researcher, my goal is to investigate whether there are vulnerabilities in the system, not all vulnerabilities must be easy to apply. If you think that what I said is unreasonable and that this is not a vulnerabilities, then you can choose to ignore it. Thank you. |
Can you tell me more on what the social engineering angle would be there? Usually it's something like a cross site request forgery attack. If the attack is limited to a situation where you can access someone's user account through them giving you a username and password there is all kinds of damage they could do. Thanks! |
The attacker does not necessarily need to obtain a developer level user's account, just try to trick the developer level users into having |
I'm not really buying that line of logic. Having another user account "trick" a developer into inserting a hook doesn't really sound like something the person who made the site would just do without a reason. |
I think that a vulnerability is still a vulnerability even if it is difficult to exploit. If you still think this is not a vulnerability, you can ignore it. |
FILE:
/core/admin/auto-modules/forms/process.php
We can set
$bigtree["form"]["hooks"]["post"]
aspreg_replace
and use the "\e" modifier to execute arbitrary code.poc:
![](https://camo.githubusercontent.com/461f8db43afedd4239a9d5b046b655f2201fda51ccede054f1f695ac0f8f2f2c/68747470733a2f2f7069632d313235343131333739312e636f732e61702d6265696a696e672e6d7971636c6f75642e636f6d2f32303138303931333039323633342e706e67)
![](https://camo.githubusercontent.com/b032f3bb854d244ae1cf0be8e3a5933d4d5559e2a94640547c7408a217bb3e51/68747470733a2f2f7069632d313235343131333739312e636f732e61702d6265696a696e672e6d7971636c6f75642e636f6d2f32303138303931333039333032302e706e67)
The text was updated successfully, but these errors were encountered: