Vulners
Lucene search
openSIS 5.2 PHP Code Injection
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | openSIS 5.2 PHP Code Injection Vulnerability | 8 Dec 201300:00 | – | zdt |
| OpenSIS 'modname' PHP Code Execution Vulnerability | 24 Dec 201300:00 | – | zdt |
 | CVE-2013-1349 | 24 Dec 201300:00 | – | circl |
 | OpenSIS ajax.php modname Code Execution (CVE-2013-1349) | 5 Oct 201400:00 | – | checkpoint_advisories |
 | CVE-2013-1349 | 9 Dec 201311:00 | – | cve |
 | CVE-2013-1349 | 9 Dec 201311:00 | – | cvelist |
 | CVE-2013-1349 | 9 Dec 201316:36 | – | nvd |
 | OpenSIS 'modname' PHP Code Execution | 23 Dec 201300:00 | – | packetstorm |
 | Sql injection | 9 Dec 201316:36 | – | prion |
 | [KIS-2013-10] openSIS <= 5.2 (ajax.php) PHP Code Injection Vulnerability | 9 Dec 201300:00 | – | securityvulns |
10
`----------------------------------------------------------
openSIS <= 5.2 (ajax.php) PHP Code Injection Vulnerability
----------------------------------------------------------
[-] Software Link:
http://www.opensis.com/
[-] Affected Versions:
All versions from 4.5 to 5.2.
[-] Vulnerability Description:
The vulnerable code is located in the /ajax.php script:
86. if(clean_param($_REQUEST['modname'],PARAM_NOTAGS))
87. {
88. if($_REQUEST['_openSIS_PDF']=='true')
89. ob_start();
90. if(strpos($_REQUEST['modname'],'?')!==false)
91. {
92. $vars = substr($_REQUEST['modname'],(strpos($_REQUEST['modname'],'?')+1));
93. $modname = substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?'));
94.
95. $vars = explode('?',$vars);
96. foreach($vars as $code)
97. {
98. $code = decode_unicode_url("\$_REQUEST['".str_replace('=',"']='",$code)."';");
99. eval($code);
100. }
101. }
User input passed through the "modname" request variable is not properly sanitized before being used in
a call to the eval() function at line 99. This can be exploited to inject and execute arbitrary PHP code.
[-] Solution:
As of December 5th, 2013 the only solution is this patch: http://sourceforge.net/p/opensis-ce/code/1009
[-] Disclosure Timeline:
[04/12/2012] - Issue reported to http://sourceforge.net/p/opensis-ce/bugs/59/
[28/12/2012] - Vendor contacted, replied that the next version will fix the issue
[12/01/2013] - CVE number requested
[14/01/2013] - CVE number assigned
[26/04/2013] - Version 5.2 released, however the issue isn't fixed yet
[12/05/2013] - Vendor contacted again
[15/05/2013] - Issue temporarily fixed in the SVN repository (r1009)
[04/12/2013] - After one year still no official solution available
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1349 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2013-10
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Dec 2013 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.70857