0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Tuleap 9.6 Second-Order PHP Object Injection Vulnerability
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
-------------------------------------------------------------
Tuleap <= 9.6 Second-Order PHP Object Injection Vulnerability
-------------------------------------------------------------
[-] Software Links:
https://www.tuleap.org
https://www.enalean.com
[-] Affected Versions:
All versions from 5.0 to 9.6.
[-] Vulnerability Description:
The vulnerable code can be triggered through the User::getRecentElements() method defined in /src/common/user/User.class.php:
1425. public function getRecentElements() {
1426. if ($recent_elements = $this->getPreference(self::PREFERENCE_RECENT_ELEMENTS)) {
1427. if ($recent_elements = unserialize($recent_elements)) {
1428. if (is_array($recent_elements)) {
1429. return $recent_elements;
1430. }
1431. }
1432. //somthing wrong happen. Delete the preference
1433. $this->delPreference(self::PREFERENCE_RECENT_ELEMENTS);
1434. }
1435. return array();
1436. }
The vulnerability exists because this method is using the unserialize() function with a value that can be arbitrarily manipulated by a user through
the REST API interface. This can be exploited to inject arbitrary PHP objects into the application scope, and could allow authenticated attackers to
execute arbitrary PHP code via specially crafted serialized objects. Successful exploitation of this vulnerability requires an user account with
permissions to create or access artifacts in a tracker.
[-] Solution:
Update to version 9.7 or later.
[-] Disclosure Timeline:
[03/04/2017] - Vendor notified
[03/04/2017] - Vendor acknowledgement
[03/04/2017] - Vendor submitted artifact: https://tuleap.net/plugins/tracker/?aid=10118
[03/04/2017] - CVE number requested
[03/04/2017] - CVE number assigned
[05/04/2017] - Vulnerability fixed on the git repository: https://goo.gl/X2AT4z
[26/04/2017] - Version 9.7 released
[23/10/2017] - Publication of this advisory
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2017-7411 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
# 0day.today [2024-11-15] #