Description
ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory.
Affected Software
Related
{"id": "CVE-2021-27230", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-27230", "description": "ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory.", "published": "2021-03-15T23:15:00", "modified": "2021-03-22T14:23:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27230", "reporter": "cve@mitre.org", "references": ["https://hackerone.com/reports/1093444", "http://karmainsecurity.com/KIS-2021-03", "https://expressionengine.com/features", "http://seclists.org/fulldisclosure/2021/Mar/32", "http://packetstormsecurity.com/files/161805/ExpressionEngine-6.0.2-PHP-Code-Injection.html"], "cvelist": ["CVE-2021-27230"], "immutableFields": [], "lastseen": "2022-03-23T15:59:53", "viewCount": 49, "enchantments": {"dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:161805"]}, {"type": "zdt", "idList": ["1337DAY-ID-35960"]}], "rev": 4}, "score": {"value": 4.4, "vector": "NONE"}, "twitter": {"counter": 5, "modified": "2021-03-17T12:32:33", "tweets": [{"link": "https://twitter.com/threatintelctr/status/1374005547003961348", "text": " NEW: CVE-2021-27230 ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/... (click for more) Severity: HIGH https://t.co/fhBZ5J18OK?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1374005547003961348", "text": " NEW: CVE-2021-27230 ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/... (click for more) Severity: HIGH https://t.co/fhBZ5J18OK?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1374040866382344192", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2021-27230 (expressionengine)) has been published on https://t.co/lM2pTNcjxF?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1374040850574028812", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2021-27230 (expressionengine)) has been published on https://t.co/sv2dHpO99v?amp=1"}, {"link": "https://twitter.com/DarkEagleCyber/status/1374040951690203140", "text": "CVE-2021-27230 (expressionengine) https://t.co/2Q19FHN8so?amp=1"}]}, "backreferences": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:161805"]}, {"type": "zdt", "idList": ["1337DAY-ID-35960"]}]}, "exploitation": null, "vulnersScore": 4.4}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-20"], "affectedSoftware": [{"cpeName": "expressionengine:expressionengine", "version": "5.4.2", "operator": "lt", "name": "expressionengine"}, {"cpeName": "expressionengine:expressionengine", "version": "6.0.3", "operator": "lt", "name": "expressionengine"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:expressionengine:expressionengine:5.4.2:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.2", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:expressionengine:expressionengine:6.0.3:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.0.3", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://hackerone.com/reports/1093444", "name": "https://hackerone.com/reports/1093444", "refsource": "MISC", "tags": ["Permissions Required", "Third Party Advisory"]}, {"url": "http://karmainsecurity.com/KIS-2021-03", "name": "http://karmainsecurity.com/KIS-2021-03", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://expressionengine.com/features", "name": "https://expressionengine.com/features", "refsource": "MISC", "tags": ["Vendor Advisory"]}, {"url": "http://seclists.org/fulldisclosure/2021/Mar/32", "name": "http://seclists.org/fulldisclosure/2021/Mar/32", "refsource": "MISC", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/161805/ExpressionEngine-6.0.2-PHP-Code-Injection.html", "name": "http://packetstormsecurity.com/files/161805/ExpressionEngine-6.0.2-PHP-Code-Injection.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}
{"zdt": [{"lastseen": "2021-09-26T22:49:47", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-16T00:00:00", "type": "zdt", "title": "ExpressionEngine 6.0.2 PHP Code Injection Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27230"], "modified": "2021-03-16T00:00:00", "id": "1337DAY-ID-35960", "href": "https://0day.today/exploit/description/35960", "sourceData": "----------------------------------------------------------------------------\r\nExpressionEngine <= 6.0.2 (Translate::save) PHP Code Injection \r\nVulnerability\r\n----------------------------------------------------------------------------\r\n\r\n\r\n[-] Software Link:\r\n\r\nhttps://expressionengine.com/\r\n\r\n\r\n[-] Affected Versions:\r\n\r\nVersion 6.0.2 and prior versions.\r\nVersion 5.4.1 and prior versions.\r\n\r\n\r\n[-] Vulnerability Description:\r\n\r\nThe vulnerable code is located in the \r\n\"ExpressionEngine\\Controller\\Utilities\\Translate::save()\" method:\r\n\r\n362. private function save($language, $file)\r\n363. {\r\n364.\r\n365. $file = ee()->security->sanitize_filename($file);\r\n366.\r\n367. $dest_dir = $this->languages_dir . $language . '/';\r\n368. $filename = $file . '_lang.php';\r\n369. $dest_loc = $dest_dir . $filename;\r\n370.\r\n371. $str = '<?php' . \"\\n\" . '$lang = array(' . \"\\n\\n\\n\";\r\n372.\r\n373. ee()->lang->loadfile($file);\r\n374.\r\n375. foreach ($_POST as $key => $val) {\r\n376. $val = str_replace('<script', '', $val);\r\n377. $val = str_replace('<iframe', '', $val);\r\n378. $val = str_replace(array(\"\\\\\", \"'\"), array(\"\\\\\\\\\", \r\n\"\\'\"), $val);\r\n379.\r\n380. $str .= '\\'' . $key . '\\' => ' . \"\\n\" . '\\'' . $val \r\n. '\\'' . \",\\n\\n\";\r\n381. }\r\n382.\r\n383. $str .= \"''=>''\\n);\\n\\n\";\r\n384. $str .= \"// End of File\";\r\n\r\n[...]\r\n\r\n400. $this->load->helper('file');\r\n401.\r\n402. if (write_file($dest_loc, $str)) {\r\n403. ee('CP/Alert')->makeInline('shared-form')\r\n404. ->asSuccess()\r\n405. ->withTitle(lang('translations_saved'))\r\n406. ->addToBody(sprintf(lang('file_saved'), \r\n$dest_loc))\r\n407. ->defer();\r\n\r\nUser input passed via keys of POST parameters is not properly sanitized \r\nbefore being assigned\r\nto the \"$str\" variable at line 380. Such a variable will be used in a \r\ncall to the \"write_file()\"\r\nfunction at line 402, trying to write user supplied content into the\r\n/system/user/language/[lang]/[file]_lang.php file. This can be exploited \r\nto inject and execute arbitrary PHP code. Successful exploitation of \r\nthis vulnerability requires an account with\r\npermissions to access the CP translation system utilities.\r\n\r\n\r\n[-] Solution:\r\n\r\nUpgrade to version 6.0.3, 5.4.2, or later.\r\n\r\n\r\n[-] Disclosure Timeline:\r\n\r\n[03/02/2021] - Vendor notified through HackerOne\r\n[15/02/2021] - Vulnerability acknowledged by the vendor\r\n[16/02/2021] - CVE number assigned\r\n[17/02/2021] - Version 6.0.3 released\r\n[04/03/2021] - Version 5.4.2 released\r\n[15/03/2021] - Public disclosure\r\n\r\n\r\n[-] CVE Reference:\r\n\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nhas assigned the name CVE-2021-27230 to this vulnerability.\r\n\r\n\r\n[-] Credits:\r\n\r\nVulnerability discovered by Egidio Romano.\n\n# 0day.today [2021-09-27] #", "sourceHref": "https://0day.today/exploit/35960", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-03-15T21:06:25", "description": "", "published": "2021-03-15T00:00:00", "type": "packetstorm", "title": "ExpressionEngine 6.0.2 PHP Code Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-27230"], "modified": "2021-03-15T00:00:00", "id": "PACKETSTORM:161805", "href": "https://packetstormsecurity.com/files/161805/ExpressionEngine-6.0.2-PHP-Code-Injection.html", "sourceData": "`---------------------------------------------------------------------------- \nExpressionEngine <= 6.0.2 (Translate::save) PHP Code Injection \nVulnerability \n---------------------------------------------------------------------------- \n \n \n[-] Software Link: \n \nhttps://expressionengine.com/ \n \n \n[-] Affected Versions: \n \nVersion 6.0.2 and prior versions. \nVersion 5.4.1 and prior versions. \n \n \n[-] Vulnerability Description: \n \nThe vulnerable code is located in the \n\"ExpressionEngine\\Controller\\Utilities\\Translate::save()\" method: \n \n362. private function save($language, $file) \n363. { \n364. \n365. $file = ee()->security->sanitize_filename($file); \n366. \n367. $dest_dir = $this->languages_dir . $language . '/'; \n368. $filename = $file . '_lang.php'; \n369. $dest_loc = $dest_dir . $filename; \n370. \n371. $str = '<?php' . \"\\n\" . '$lang = array(' . \"\\n\\n\\n\"; \n372. \n373. ee()->lang->loadfile($file); \n374. \n375. foreach ($_POST as $key => $val) { \n376. $val = str_replace('<script', '', $val); \n377. $val = str_replace('<iframe', '', $val); \n378. $val = str_replace(array(\"\\\\\", \"'\"), array(\"\\\\\\\\\", \n\"\\'\"), $val); \n379. \n380. $str .= '\\'' . $key . '\\' => ' . \"\\n\" . '\\'' . $val \n. '\\'' . \",\\n\\n\"; \n381. } \n382. \n383. $str .= \"''=>''\\n);\\n\\n\"; \n384. $str .= \"// End of File\"; \n \n[...] \n \n400. $this->load->helper('file'); \n401. \n402. if (write_file($dest_loc, $str)) { \n403. ee('CP/Alert')->makeInline('shared-form') \n404. ->asSuccess() \n405. ->withTitle(lang('translations_saved')) \n406. ->addToBody(sprintf(lang('file_saved'), \n$dest_loc)) \n407. ->defer(); \n \nUser input passed via keys of POST parameters is not properly sanitized \nbefore being assigned \nto the \"$str\" variable at line 380. Such a variable will be used in a \ncall to the \"write_file()\" \nfunction at line 402, trying to write user supplied content into the \n/system/user/language/[lang]/[file]_lang.php file. This can be exploited \nto inject and execute arbitrary PHP code. Successful exploitation of \nthis vulnerability requires an account with \npermissions to access the CP translation system utilities. \n \n \n[-] Solution: \n \nUpgrade to version 6.0.3, 5.4.2, or later. \n \n \n[-] Disclosure Timeline: \n \n[03/02/2021] - Vendor notified through HackerOne \n[15/02/2021] - Vulnerability acknowledged by the vendor \n[16/02/2021] - CVE number assigned \n[17/02/2021] - Version 6.0.3 released \n[04/03/2021] - Version 5.4.2 released \n[15/03/2021] - Public disclosure \n \n \n[-] CVE Reference: \n \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) \nhas assigned the name CVE-2021-27230 to this vulnerability. \n \n \n[-] Credits: \n \nVulnerability discovered by Egidio Romano. \n \n \n[-] Other References: \n \nhttps://hackerone.com/reports/1093444 \n \n \n[-] Original Advisory: \n \nhttp://karmainsecurity.com/KIS-2021-03 \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161805/KIS-2021-03.txt"}]}