Teampass allows users to choose from several different languages. The user changes their language preference by sending a POST request to Teampass (/teampass/sources/users.queries.php) that contains the string of the language they choose (“english”, “spanish”, etc). This string provided by the user is not validated or sanitized in any way.
After the string provided by the user is stored in the DB, it is eventually used in core.php during login on line 78: require_once $SETTINGS['cpassman_dir'].'/includes/language/'.$_SESSION['user_language'].'.php';
This allows any user to file_include any existing PHP file on disk. If a user could upload their own PHP file, then it could be combined with this bug to achieve code execution on the Teampass server.
Steps to reproduce
Send a POST request to change user language, but modify the value of the newValue parameter to a value of your choosing (eg: ../backups/script.backup).
Log out and log back in to force the TeamPass server to read the PHP file of your choosing.
Steps to fix
Validate the value from the “newValue” parameter. The only permissible values should be a hard-coded list of strings that exist in /includes/language/ directory EG: $validLanguages = array('arabic', 'bulgarian', 'etc');.
In the case of a non-valid value, Teampass should deny the language change and immediately stop processing the data in the newValue parameter. This validation could potentially occur here, where the userlanguage parameter is processed.
Server configuration
Teampass version:
2.1.27.36
The text was updated successfully, but these errors were encountered:
@sata-sa I updated the steps to fix with a bit more information. Does that help?
After the "hardcoded" values will be this archived automatically?
I'm not sure what you mean. Are you asking if this issue could be closed after the userlanguage parameter is validated against a list of acceptable values? Then yes, that is all that is needed here.
Teampass allows users to choose from several different languages. The user changes their language preference by sending a POST request to Teampass (
/teampass/sources/users.queries.php) that contains the string of the language they choose (“english”, “spanish”, etc). This string provided by the user is not validated or sanitized in any way.After the string provided by the user is stored in the DB, it is eventually used in
core.phpduring login on line 78:require_once $SETTINGS['cpassman_dir'].'/includes/language/'.$_SESSION['user_language'].'.php';This allows any user to file_include any existing PHP file on disk. If a user could upload their own PHP file, then it could be combined with this bug to achieve code execution on the Teampass server.
Steps to reproduce
Send a POST request to change user language, but modify the value of the
newValueparameter to a value of your choosing (eg:../backups/script.backup).Log out and log back in to force the TeamPass server to read the PHP file of your choosing.
Steps to fix
$validLanguages = array('arabic', 'bulgarian', 'etc');.userlanguageparameter is processed.Server configuration
Teampass version:
2.1.27.36
The text was updated successfully, but these errors were encountered: