You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The "Encryption Key" parameter of the installation page uri "/install/?step=user&lang=en" is not strictly filtered, and any string can be written to the "application/config/config.php" file, resulting in arbitrary code execution.
Vulnerability reason
write configuration file directly without filtering
Le 31 mars 2022 à 17:10, 0verf1ow ***@***.***> a écrit :
Closed #403.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
The "Encryption Key" parameter of the installation page uri "/install/?step=user&lang=en" is not strictly filtered, and any string can be written to the "application/config/config.php" file, resulting in arbitrary code execution.
Vulnerability reason
write configuration file directly without filtering
Where the vulnerability occurs: https://github.com/ionize/ionize/blob/master/install/class/Installer.php#L1035
Vulnerability Demo
When installing to user settings, the value of the Encryption Key will be written to the configuration file "application/config/config.php"
payload:
Enter payload to submit
Ok, the payload has been successfully written into
try command execution
Bugfix
Only letters and numbers are allowed, no other characters are allowed
The text was updated successfully, but these errors were encountered: