ID PACKETSTORM:161758 Type packetstorm Reporter Wolfgang Hotwagner Modified 2021-03-12T00:00:00
Description
`QCubed PHP Object Injection
===========================
| Identifier: | AIT-SA-20210215-01 |
| Target: | QCubed Framework |
| Vendor: | QCubed |
| Version: | all versions including 3.1.1 |
| CVE: | CVE-2020-24914 |
| Accessibility: | Remote |
| Severity: | Critical |
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |
SUMMARY
=======
QCubed is a PHP Model-View-Controller Rappid Application Development framework. (https://github.com/qcubed/qcubed)
VULNERABILITY DESCRIPTION
=========================
A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request.
qcubed/assets/php/profile.php:
<?php
require_once('./qcubed.inc.php');
//Exit gracefully if called directly or profiling data is missing.
if ( !isset($_POST['intDatabaseIndex']) && !isset($_POST['strProfileData']) && !isset($_POST['strReferrer']) )
exit('Nothing to profile. No Database Profiling data recived.');
if ( !isset($_POST['intDatabaseIndex']) || !isset($_POST['strProfileData']) || !isset($_POST['strReferrer']) )
throw new Exception('Database Profiling data appears to have been corrupted.');
$intDatabaseIndex = intval($_POST['intDatabaseIndex']);
$strReferrer = QApplication::HtmlEntities($_POST['strReferrer']);
$objProfileArray = unserialize(base64_decode($_POST['strProfileData'])); //<-VULNERABLE CODE
$objProfileArray = QType::Cast($objProfileArray, QType::ArrayType);
VULNERABLE VERSIONS
===================
All versions including 3.1.1 are affected.
TESTED VERSIONS
===============
QCubed 3.1.1
IMPACT
======
An unauthenticated attacker could execute code remotely.
MITIGATION
==========
A patch was delivered by QCubed that allows to disable the profile-functionality.
VENDOR CONTACT TIMELINE
=======================
| 2020-04-19 | Contacting the vendor |
| 2020-04-19 | Vendor replied |
| 2020-05-01 | Vendor released a patch at Github |
| 2021-02-15 | Public disclosure |
ADVISORY URL
============
[https://www.ait.ac.at/ait-sa-20210215-01-unauthenticated-remote-code-execution-qcubed](https://www.ait.ac.at/ait-sa-20210215-01-unauthenticated-remote-code-execution-qcubed)
`
{"id": "PACKETSTORM:161758", "type": "packetstorm", "bulletinFamily": "exploit", "title": "QCubed 3.1.1 PHP Object Injection", "description": "", "published": "2021-03-12T00:00:00", "modified": "2021-03-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://packetstormsecurity.com/files/161758/QCubed-3.1.1-PHP-Object-Injection.html", "reporter": "Wolfgang Hotwagner", "references": [], "cvelist": ["CVE-2020-24914"], "lastseen": "2021-03-12T16:16:54", "viewCount": 53, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-24914"]}], "modified": "2021-03-12T16:16:54", "rev": 2}, "score": {"value": 5.8, "vector": "NONE", "modified": "2021-03-12T16:16:54", "rev": 2}, "vulnersScore": 5.8}, "sourceHref": "https://packetstormsecurity.com/files/download/161758/AIT-SA-20210215-01.txt", "sourceData": "`QCubed PHP Object Injection \n=========================== \n \n| Identifier: | AIT-SA-20210215-01 | \n| Target: | QCubed Framework | \n| Vendor: | QCubed | \n| Version: | all versions including 3.1.1 | \n| CVE: | CVE-2020-24914 | \n| Accessibility: | Remote | \n| Severity: | Critical | \n| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) | \n \nSUMMARY \n======= \nQCubed is a PHP Model-View-Controller Rappid Application Development framework. (https://github.com/qcubed/qcubed) \n \nVULNERABILITY DESCRIPTION \n========================= \nA PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable \"strProfileData\" and allows an unauthenticated attacker to execute code via a crafted POST request. \n \nqcubed/assets/php/profile.php: \n<?php \nrequire_once('./qcubed.inc.php'); \n \n//Exit gracefully if called directly or profiling data is missing. \nif ( !isset($_POST['intDatabaseIndex']) && !isset($_POST['strProfileData']) && !isset($_POST['strReferrer']) ) \nexit('Nothing to profile. No Database Profiling data recived.'); \n \nif ( !isset($_POST['intDatabaseIndex']) || !isset($_POST['strProfileData']) || !isset($_POST['strReferrer']) ) \nthrow new Exception('Database Profiling data appears to have been corrupted.'); \n \n$intDatabaseIndex = intval($_POST['intDatabaseIndex']); \n$strReferrer = QApplication::HtmlEntities($_POST['strReferrer']); \n \n$objProfileArray = unserialize(base64_decode($_POST['strProfileData'])); //<-VULNERABLE CODE \n$objProfileArray = QType::Cast($objProfileArray, QType::ArrayType); \n \n \nVULNERABLE VERSIONS \n=================== \nAll versions including 3.1.1 are affected. \n \n \nTESTED VERSIONS \n=============== \nQCubed 3.1.1 \n \nIMPACT \n====== \nAn unauthenticated attacker could execute code remotely. \n \nMITIGATION \n========== \nA patch was delivered by QCubed that allows to disable the profile-functionality. \n \nVENDOR CONTACT TIMELINE \n======================= \n \n| 2020-04-19 | Contacting the vendor | \n| 2020-04-19 | Vendor replied | \n| 2020-05-01 | Vendor released a patch at Github | \n| 2021-02-15 | Public disclosure | \n \nADVISORY URL \n============ \n \n[https://www.ait.ac.at/ait-sa-20210215-01-unauthenticated-remote-code-execution-qcubed](https://www.ait.ac.at/ait-sa-20210215-01-unauthenticated-remote-code-execution-qcubed) \n \n \n`\n", "immutableFields": []}
{"cve": [{"lastseen": "2021-03-23T12:24:57", "description": "A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable \"strProfileData\" and allows an unauthenticated attacker to execute code via a crafted POST request.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-04T13:15:00", "title": "CVE-2020-24914", "type": "cve", "cwe": ["CWE-915"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24914"], "modified": "2021-03-22T17:58:00", "cpe": ["cpe:/a:qcubed:qcubed:3.1.1"], "id": "CVE-2020-24914", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24914", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:qcubed:qcubed:3.1.1:*:*:*:*:*:*:*"]}]}
