Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormWolfgang HotwagnerPACKETSTORM:161758
HistoryMar 12, 2021 - 12:00 a.m.

QCubed 3.1.1 PHP Object Injection

2021-03-1200:00:00
Wolfgang Hotwagner
packetstormsecurity.com
230
JSON
`QCubed PHP Object Injection  
===========================  
  
| Identifier: | AIT-SA-20210215-01 |  
| Target: | QCubed Framework |  
| Vendor: | QCubed |  
| Version: | all versions including 3.1.1 |  
| CVE: | CVE-2020-24914 |  
| Accessibility: | Remote |  
| Severity: | Critical |  
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |  
  
SUMMARY  
=======  
QCubed is a PHP Model-View-Controller Rappid Application Development framework. (https://github.com/qcubed/qcubed)  
  
VULNERABILITY DESCRIPTION  
=========================  
A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request.  
  
qcubed/assets/php/profile.php:  
<?php   
require_once('./qcubed.inc.php');  
  
//Exit gracefully if called directly or profiling data is missing.  
if ( !isset($_POST['intDatabaseIndex']) && !isset($_POST['strProfileData']) && !isset($_POST['strReferrer']) )  
exit('Nothing to profile. No Database Profiling data recived.');  
  
if ( !isset($_POST['intDatabaseIndex']) || !isset($_POST['strProfileData']) || !isset($_POST['strReferrer']) )  
throw new Exception('Database Profiling data appears to have been corrupted.');  
  
$intDatabaseIndex = intval($_POST['intDatabaseIndex']);  
$strReferrer = QApplication::HtmlEntities($_POST['strReferrer']);  
  
$objProfileArray = unserialize(base64_decode($_POST['strProfileData'])); //<-VULNERABLE CODE  
$objProfileArray = QType::Cast($objProfileArray, QType::ArrayType);  
  
  
VULNERABLE VERSIONS  
===================  
All versions including 3.1.1 are affected.  
  
  
TESTED VERSIONS  
===============  
QCubed 3.1.1  
  
IMPACT  
======  
An unauthenticated attacker could execute code remotely.  
  
MITIGATION  
==========  
A patch was delivered by QCubed that allows to disable the profile-functionality.  
  
VENDOR CONTACT TIMELINE  
=======================   
  
| 2020-04-19 | Contacting the vendor |  
| 2020-04-19 | Vendor replied |  
| 2020-05-01 | Vendor released a patch at Github |  
| 2021-02-15 | Public disclosure |  
  
ADVISORY URL  
============  
  
[https://www.ait.ac.at/ait-sa-20210215-01-unauthenticated-remote-code-execution-qcubed](https://www.ait.ac.at/ait-sa-20210215-01-unauthenticated-remote-code-execution-qcubed)   
  
  
`

Related

zdt 1
veracode 1
cve 1
checkpoint_advisories 1
osv 1
prion 1
wallarmlab 1
zdt
zdt
QCubed 3.1.1 PHP Object Injection Vulnerability
2021-03-13 00:00:00
veracode
veracode
Untrusted Object Deserialization
2021-03-05 01:04:25
cve
cve
CVE-2020-24914
2021-03-04 13:15:00
checkpoint_advisories
checkpoint_advisories
Qcubed Remote Code Execution (CVE-2020-24914)
2021-04-28 00:00:00
osv
osv
CVE-2020-24914
2021-03-04 13:15:15
prion
prion
Cross site request forgery (csrf)
2021-03-04 13:15:00
wallarmlab
wallarmlab
Web vulnerabilities exploit weekly digest #1. March 8-15th 2021. VMware vCenter and Apache OFBiz RCE.
2021-03-16 18:22:00
JSON
Related for PACKETSTORM:161758
zdt1veracode1cve1checkpoint_advisories1osv1prion1wallarmlab1