Unauthenticated Remote Code Execution (RCE) in SoyCMS
Summary
Severity: Critical
SoyCMS 3.0.2 and earlier is affected by Unauthenticated Remote Code Execution (RCE). The allows remote attackers to execute any arbitrary code when the inquiry form feature is enabled by the website. The vulnerability is caused by unserializing the form without any restrictions.
Impact: Unauthenticated Remote Code Execution via Inquiry Form
Attack vector is: Inquiry Form needs to be enabled.
Title
Unauthenticated Remote Code Execution (RCE) in SoyCMS
Summary
Severity: Critical
SoyCMS 3.0.2 and earlier is affected by Unauthenticated Remote Code Execution (RCE). The allows remote attackers to execute any arbitrary code when the inquiry form feature is enabled by the website. The vulnerability is caused by unserializing the form without any restrictions.
Impact: Unauthenticated Remote Code Execution via Inquiry Form
Found by @stypr from Vulnerability Research Team in Flatt Security Inc.
Full Exploit Video: https://youtu.be/zAE4Swjc-GU
Cause
When the inquiry is submitted and the captcha is taken, form submits
form_valueandform_hash, and value is checked as the following.soycms/cms/app/webapp/inquiry/page.php
Lines 126 to 133 in 0373eb1
By the PHP's official guideline, unserialize is a function that should not be used when user can control the argument (Reference: https://www.php.net/manual/en/function.unserialize.php)
md5($value) == form_hashcan be generated locally, so it is possible to control this value and use appropriate classes to trigger code execution.Remediation
Use
json_encodeandjson_decodeinstead.I will make a Fix PR as soon as possible.
The text was updated successfully, but these errors were encountered: