0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Vanilla Forums 2.0 - 2.0.18.5 PHP Object Injection Vulnerability
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
-------------------------------------------------------------------------------------------
Vanilla Forums <= 2.0.18.5 (class.utilitycontroller.php) PHP Object Injection Vulnerability
-------------------------------------------------------------------------------------------
[-] Software Link:
http://vanillaforums.org/
[-] Affected Versions:
All versions from 2.0 to 2.0.18.5.
[-] Vulnerability Description:
The vulnerable code is located in /applications/dashboard/controllers/class.utilitycontroller.php:
316. // Get the message, response, and transientkey
317. $Messages = TrueStripSlashes(GetValue('Messages', $_POST));
318. $Response = TrueStripSlashes(GetValue('Response', $_POST));
319. $TransientKey = GetIncomingValue('TransientKey', '');
320.
321. // If the key validates
322. $Session = Gdn::Session();
323. if ($Session->ValidateTransientKey($TransientKey)) {
324. // If messages wasn't empty
325. if ($Messages != '') {
326. // Unserialize them & save them if necessary
327. $Messages = Gdn_Format::Unserialize($Messages);
[...]
358. // If the response wasn't empty, save it in the config
359. if ($Response != '')
360. $Save['Garden.RequiredUpdates'] = Gdn_Format::Unserialize($Response);
User input passed through the "Messages" and "Response" POST parameters is not properly sanitized
before being used in a call to the "Gdn_Format::Unserialize" method at lines 327 and 360. This can
be exploited to inject arbitrary PHP objects into the application scope, that could allow an attacker
to conduct Local File Inclusion attacks by abusing the "Gdn_Module::__toString" method, which triggers
a call to the "Gdn_Module::FetchView" method:
111. public function FetchView() {
112. $ViewPath = $this->FetchViewLocation();
113. $String = '';
114. ob_start();
115. if(is_object($this->_Sender) && isset($this->_Sender->Data)) {
116. $Data = $this->_Sender->Data;
117. } else {
118. $Data = array();
119. }
120. include ($ViewPath);
The value returned by the "Gdn_Module::FetchViewLocation" method at line 112 can be controlled by the
"_ApplicationFolder" object's property, which results in an arbitrary local file inclusion at line 120.
Successful exploitation of the vulnerability using this vector requires the application running on
PHP < 5.3.4, because it needs a null-byte injection attack. However, other attack vectors might
be possible, e.g. leveraging magic methods of classes defined in third-party components.
[-] Solution:
Update to version 2.0.18.6 or higher.
[-] Disclosure Timeline:
[02/03/2013] - Vendor notified
[22/03/2013] - Version 2.0.18.6 released: http://git.io/7EXdpQ
[10/05/2013] - CVE number assigned
[07/10/2013] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-3528 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2013-09
# 0day.today [2024-11-15] #