Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unauthenticated Remote Code Execution (RCE) in SoyCMS #10

Closed
stypr opened this issue Sep 14, 2020 · 1 comment · Fixed by #12
Closed

Unauthenticated Remote Code Execution (RCE) in SoyCMS #10

stypr opened this issue Sep 14, 2020 · 1 comment · Fixed by #12

Comments

@stypr
Copy link
Contributor

stypr commented Sep 14, 2020

Title

Unauthenticated Remote Code Execution (RCE) in SoyCMS

Summary

Severity: Critical

SoyCMS 3.0.2 and earlier is affected by Unauthenticated Remote Code Execution (RCE). The allows remote attackers to execute any arbitrary code when the inquiry form feature is enabled by the website. The vulnerability is caused by unserializing the form without any restrictions.

Impact: Unauthenticated Remote Code Execution via Inquiry Form

  • Attack vector is: Inquiry Form needs to be enabled.
  • Components are: Soy Inquiry Form
  • Tested SoyCMS Version : 3.0.2 (latest)
  • Affected SoyCMS Version : ~3.0.2

Found by @stypr from Vulnerability Research Team in Flatt Security Inc.

Full Exploit Video: https://youtu.be/zAE4Swjc-GU

Cause

When the inquiry is submitted and the captcha is taken, form submits form_value and form_hash, and value is checked as the following.

if(isset($_POST["form_value"]) && isset($_POST["form_hash"])){
$value = base64_decode($_POST["form_value"]);
//不正な書き換えでない場合のみ
if(md5($value) == $_POST["form_hash"]){
$_POST["data"] = unserialize($value);
}
}

By the PHP's official guideline, unserialize is a function that should not be used when user can control the argument (Reference: https://www.php.net/manual/en/function.unserialize.php)

md5($value) == form_hash can be generated locally, so it is possible to control this value and use appropriate classes to trigger code execution.

Remediation

Use json_encode and json_decode instead.

I will make a Fix PR as soon as possible.

@stypr
Copy link
Contributor Author

stypr commented Sep 14, 2020

The previous PR had a collision with DAO column verification. I will check and make a proper fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant