ID 1337DAY-ID-21638 Type zdt Reporter EgiX Modified 2013-12-08T00:00:00
Description
openSIS versions 4.5 through 5.2 suffer from a remote PHP code injection vulnerability.
----------------------------------------------------------
openSIS <= 5.2 (ajax.php) PHP Code Injection Vulnerability
----------------------------------------------------------
[-] Software Link:
http://www.opensis.com/
[-] Affected Versions:
All versions from 4.5 to 5.2.
[-] Vulnerability Description:
The vulnerable code is located in the /ajax.php script:
86. if(clean_param($_REQUEST['modname'],PARAM_NOTAGS))
87. {
88. if($_REQUEST['_openSIS_PDF']=='true')
89. ob_start();
90. if(strpos($_REQUEST['modname'],'?')!==false)
91. {
92. $vars = substr($_REQUEST['modname'],(strpos($_REQUEST['modname'],'?')+1));
93. $modname = substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?'));
94.
95. $vars = explode('?',$vars);
96. foreach($vars as $code)
97. {
98. $code = decode_unicode_url("\$_REQUEST['".str_replace('=',"']='",$code)."';");
99. eval($code);
100. }
101. }
User input passed through the "modname" request variable is not properly sanitized before being used in
a call to the eval() function at line 99. This can be exploited to inject and execute arbitrary PHP code.
[-] Solution:
As of December 5th, 2013 the only solution is this patch: http://sourceforge.net/p/opensis-ce/code/1009
[-] Disclosure Timeline:
[04/12/2012] - Issue reported to http://sourceforge.net/p/opensis-ce/bugs/59/
[28/12/2012] - Vendor contacted, replied that the next version will fix the issue
[12/01/2013] - CVE number requested
[14/01/2013] - CVE number assigned
[26/04/2013] - Version 5.2 released, however the issue isn't fixed yet
[12/05/2013] - Vendor contacted again
[15/05/2013] - Issue temporarily fixed in the SVN repository (r1009)
[04/12/2013] - After one year still no official solution available
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1349 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
# 0day.today [2018-04-08] #
{"hash": "a327469d1a46151b1ed54300aeaaf3ae74a60b9c4fa57ebc7835480ba539f554", "id": "1337DAY-ID-21638", "lastseen": "2018-04-08T11:43:48", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "6327642242bf099df1ed47940d5e1f43", "key": "cvelist"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "18fec132fa6ff584ad7a36a0e0370e80", "key": "description"}, {"hash": "5b669fcc5fb56e17d5afbf4045c2f623", "key": "href"}, {"hash": "e8aeafae63cc3b838b1d0f1d80c7ea64", "key": "modified"}, {"hash": "e8aeafae63cc3b838b1d0f1d80c7ea64", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "16ae08c99dc68460307538c10ebd01c8", "key": "reporter"}, {"hash": "417aa3baa5dbfa0da574b4196da443d6", "key": "sourceData"}, {"hash": "d8499e0925431d5ff9da88f4d5e0901c", "key": "sourceHref"}, {"hash": "f8316b12e416f85f5b1432c042a74da6", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "edition": 2, "enchantments": {"vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/21638", "description": "openSIS versions 4.5 through 5.2 suffer from a remote PHP code injection vulnerability.", "title": "openSIS 5.2 PHP Code Injection Vulnerability", "history": [{"bulletin": {"hash": "eb81bd9144f1d7bce767f0600469923952d8239434dd6fd94d083977add4dc7f", "id": "1337DAY-ID-21638", "lastseen": "2016-04-20T02:09:19", "enchantments": {"score": {"value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/", "modified": "2016-04-20T02:09:19"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "16ae08c99dc68460307538c10ebd01c8", "key": "reporter"}, {"hash": "f981ea5dc60c897d578858d88d2a7ec9", "key": "sourceData"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "0ab254f2051a64577356b650cf75410f", "key": "sourceHref"}, {"hash": "f8316b12e416f85f5b1432c042a74da6", "key": "title"}, {"hash": "18fec132fa6ff584ad7a36a0e0370e80", "key": "description"}, {"hash": "e8aeafae63cc3b838b1d0f1d80c7ea64", "key": "modified"}, {"hash": "e8aeafae63cc3b838b1d0f1d80c7ea64", "key": "published"}, {"hash": "abaf7d3bbfd4797f6d1a89742da97c43", "key": "href"}, {"hash": "6327642242bf099df1ed47940d5e1f43", "key": "cvelist"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/21638", "description": "openSIS versions 4.5 through 5.2 suffer from a remote PHP code injection vulnerability.", "viewCount": 0, "title": "openSIS 5.2 PHP Code Injection Vulnerability", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "objectVersion": "1.0", "cvelist": ["CVE-2013-1349"], "sourceData": "----------------------------------------------------------\r\nopenSIS <= 5.2 (ajax.php) PHP Code Injection Vulnerability\r\n----------------------------------------------------------\r\n\r\n\r\n[-] Software Link:\r\n\r\nhttp://www.opensis.com/\r\n\r\n\r\n[-] Affected Versions:\r\n\r\nAll versions from 4.5 to 5.2.\r\n\r\n\r\n[-] Vulnerability Description:\r\n\r\nThe vulnerable code is located in the /ajax.php script:\r\n\r\n86. if(clean_param($_REQUEST['modname'],PARAM_NOTAGS))\r\n87. {\r\n88. if($_REQUEST['_openSIS_PDF']=='true')\r\n89. ob_start();\r\n90. if(strpos($_REQUEST['modname'],'?')!==false)\r\n91. {\r\n92. $vars = substr($_REQUEST['modname'],(strpos($_REQUEST['modname'],'?')+1));\r\n93. $modname = substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?'));\r\n94. \r\n95. $vars = explode('?',$vars);\r\n96. foreach($vars as $code)\r\n97. {\r\n98. $code = decode_unicode_url(\"\\$_REQUEST['\".str_replace('=',\"']='\",$code).\"';\");\r\n99. eval($code);\r\n100. }\r\n101. }\r\n\r\nUser input passed through the \"modname\" request variable is not properly sanitized before being used in\r\na call to the eval() function at line 99. This can be exploited to inject and execute arbitrary PHP code.\r\n\r\n\r\n[-] Solution:\r\n\r\nAs of December 5th, 2013 the only solution is this patch: http://sourceforge.net/p/opensis-ce/code/1009\r\n\r\n\r\n[-] Disclosure Timeline:\r\n\r\n[04/12/2012] - Issue reported to http://sourceforge.net/p/opensis-ce/bugs/59/\r\n[28/12/2012] - Vendor contacted, replied that the next version will fix the issue\r\n[12/01/2013] - CVE number requested\r\n[14/01/2013] - CVE number assigned\r\n[26/04/2013] - Version 5.2 released, however the issue isn't fixed yet\r\n[12/05/2013] - Vendor contacted again\r\n[15/05/2013] - Issue temporarily fixed in the SVN repository (r1009)\r\n[04/12/2013] - After one year still no official solution available\r\n\r\n\r\n[-] CVE Reference:\r\n\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nhas assigned the name CVE-2013-1349 to this vulnerability.\r\n\r\n\r\n[-] Credits:\r\n\r\nVulnerability discovered by Egidio Romano.\n\n# 0day.today [2016-04-20] #", "published": "2013-12-08T00:00:00", "references": [], "reporter": "EgiX", "modified": "2013-12-08T00:00:00", "href": "http://0day.today/exploit/description/21638"}, "lastseen": "2016-04-20T02:09:19", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": ["CVE-2013-1349"], "sourceData": "----------------------------------------------------------\r\nopenSIS <= 5.2 (ajax.php) PHP Code Injection Vulnerability\r\n----------------------------------------------------------\r\n\r\n\r\n[-] Software Link:\r\n\r\nhttp://www.opensis.com/\r\n\r\n\r\n[-] Affected Versions:\r\n\r\nAll versions from 4.5 to 5.2.\r\n\r\n\r\n[-] Vulnerability Description:\r\n\r\nThe vulnerable code is located in the /ajax.php script:\r\n\r\n86. if(clean_param($_REQUEST['modname'],PARAM_NOTAGS))\r\n87. {\r\n88. if($_REQUEST['_openSIS_PDF']=='true')\r\n89. ob_start();\r\n90. if(strpos($_REQUEST['modname'],'?')!==false)\r\n91. {\r\n92. $vars = substr($_REQUEST['modname'],(strpos($_REQUEST['modname'],'?')+1));\r\n93. $modname = substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?'));\r\n94. \r\n95. $vars = explode('?',$vars);\r\n96. foreach($vars as $code)\r\n97. {\r\n98. $code = decode_unicode_url(\"\\$_REQUEST['\".str_replace('=',\"']='\",$code).\"';\");\r\n99. eval($code);\r\n100. }\r\n101. }\r\n\r\nUser input passed through the \"modname\" request variable is not properly sanitized before being used in\r\na call to the eval() function at line 99. This can be exploited to inject and execute arbitrary PHP code.\r\n\r\n\r\n[-] Solution:\r\n\r\nAs of December 5th, 2013 the only solution is this patch: http://sourceforge.net/p/opensis-ce/code/1009\r\n\r\n\r\n[-] Disclosure Timeline:\r\n\r\n[04/12/2012] - Issue reported to http://sourceforge.net/p/opensis-ce/bugs/59/\r\n[28/12/2012] - Vendor contacted, replied that the next version will fix the issue\r\n[12/01/2013] - CVE number requested\r\n[14/01/2013] - CVE number assigned\r\n[26/04/2013] - Version 5.2 released, however the issue isn't fixed yet\r\n[12/05/2013] - Vendor contacted again\r\n[15/05/2013] - Issue temporarily fixed in the SVN repository (r1009)\r\n[04/12/2013] - After one year still no official solution available\r\n\r\n\r\n[-] CVE Reference:\r\n\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nhas assigned the name CVE-2013-1349 to this vulnerability.\r\n\r\n\r\n[-] Credits:\r\n\r\nVulnerability discovered by Egidio Romano.\n\n# 0day.today [2018-04-08] #", "published": "2013-12-08T00:00:00", "references": [], "reporter": "EgiX", "modified": "2013-12-08T00:00:00", "href": "https://0day.today/exploit/description/21638"}
{"result": {"cve": [{"id": "CVE-2013-1349", "type": "cve", "title": "CVE-2013-1349", "description": "Eval injection vulnerability in ajax.php in openSIS 4.5 through 5.2 allows remote attackers to execute arbitrary PHP code via the modname parameter.", "published": "2013-12-09T11:36:43", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1349", "cvelist": ["CVE-2013-1349"], "lastseen": "2016-09-03T18:08:12"}], "packetstorm": [{"id": "PACKETSTORM:124329", "type": "packetstorm", "title": "openSIS 5.2 PHP Code Injection", "description": "", "published": "2013-12-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/124329/openSIS-5.2-PHP-Code-Injection.html", "cvelist": ["CVE-2013-1349"], "lastseen": "2016-12-05T22:23:34"}, {"id": "PACKETSTORM:124567", "type": "packetstorm", "title": "OpenSIS 'modname' PHP Code Execution", "description": "", "published": "2013-12-23T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/124567/OpenSIS-modname-PHP-Code-Execution.html", "cvelist": ["CVE-2013-1349"], "lastseen": "2016-12-05T22:15:58"}], "exploitdb": [{"id": "EDB-ID:30471", "type": "exploitdb", "title": "OpenSIS 'modname' - PHP Code Execution", "description": "OpenSIS 'modname' - PHP Code Execution. CVE-2013-1349. Remote exploit for linux platform", "published": "2013-12-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/30471/", "cvelist": ["CVE-2013-1349"], "lastseen": "2016-02-03T12:26:25"}], "zdt": [{"id": "1337DAY-ID-21707", "type": "zdt", "title": "OpenSIS 'modname' PHP Code Execution Vulnerability", "description": "This Metasploit module exploits a PHP code execution vulnerability in OpenSIS versions 4.5 to 5.2 which allows any authenticated user to execute arbitrary PHP code under the context of the web-server user. The 'ajax.php' file calls 'eval()' with user controlled data from the 'modname' parameter.", "published": "2013-12-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://0day.today/exploit/description/21707", "cvelist": ["CVE-2013-1349"], "lastseen": "2018-03-14T09:13:22"}], "seebug": [{"id": "SSV:61205", "type": "seebug", "title": "openSIS "modname" PHP\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e", "description": "CVE(CAN) ID: CVE-2013-1349\r\n\r\nopenSIS\u662f\u5f00\u6e90\u5b66\u751f\u4fe1\u606f\u7cfb\u7edf\u3002\r\n\r\nopenSIS 5.2\u7248\u672c\u6ca1\u6709\u6b63\u786e\u8fc7\u6ee4ajax.php\u5185\u7684"modname"\u53c2\u6570\u503c\uff0c\u53ef\u5bfc\u81f4\u6ce8\u5165\u548c\u6267\u884c\u4efb\u610fPHP\u4ee3\u7801\u3002\n0\nopensis opensis 5.2\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nopensis\r\n-------\r\n\u76ee\u524d\u5382\u5546\u8fd8\u6ca1\u6709\u63d0\u4f9b\u8865\u4e01\u6216\u8005\u5347\u7ea7\u7a0b\u5e8f\uff0c\u6211\u4eec\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u7684\u4e3b\u9875\u4ee5\u83b7\u53d6\u6700\u65b0\u7248\u672c\uff1a\r\n\r\nhttp://www.opensis.com/\r\n\r\nopenSIS:\r\nhttp://sourceforge.net/p/opensis-ce/bugs/59/\r\nEgidio Romano:\r\nhttp://karmainsecurity.com/KIS-2013-10", "published": "2013-12-25T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-61205", "cvelist": ["CVE-2013-1349"], "lastseen": "2017-11-19T17:37:24"}], "metasploit": [{"id": "MSF:EXPLOIT/UNIX/WEBAPP/OPENSIS_MODNAME_EXEC", "type": "metasploit", "title": "OpenSIS 'modname' PHP Code Execution", "description": "This module exploits a PHP code execution vulnerability in OpenSIS versions 4.5 to 5.2 which allows any authenticated user to execute arbitrary PHP code under the context of the web-server user. The 'ajax.php' file calls 'eval()' with user controlled data from the 'modname' parameter.", "published": "2013-12-19T08:40:48", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-2013-1349"], "lastseen": "2018-05-21T01:20:20"}]}}
