openSIS 5.2 PHP Code Injection Vulnerability

{"type": "zdt", "lastseen": "2016-04-20T02:09:19", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1349"], "history": [], "title": "openSIS 5.2 PHP Code Injection Vulnerability", "published": "2013-12-08T00:00:00", "href": "http://0day.today/exploit/description/21638", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "description": "openSIS versions 4.5 through 5.2 suffer from a remote PHP code injection vulnerability.", "hash": "f6a91ff83631a3546467b259165805ce6422f223ce4a4bf4f2144836625d7629", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "----------------------------------------------------------\r\nopenSIS <= 5.2 (ajax.php) PHP Code Injection Vulnerability\r\n----------------------------------------------------------\r\n\r\n\r\n[-] Software Link:\r\n\r\nhttp://www.opensis.com/\r\n\r\n\r\n[-] Affected Versions:\r\n\r\nAll versions from 4.5 to 5.2.\r\n\r\n\r\n[-] Vulnerability Description:\r\n\r\nThe vulnerable code is located in the /ajax.php script:\r\n\r\n86. if(clean_param($_REQUEST['modname'],PARAM_NOTAGS))\r\n87. {\r\n88. if($_REQUEST['_openSIS_PDF']=='true')\r\n89. ob_start();\r\n90. if(strpos($_REQUEST['modname'],'?')!==false)\r\n91. {\r\n92. $vars = substr($_REQUEST['modname'],(strpos($_REQUEST['modname'],'?')+1));\r\n93. $modname = substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?'));\r\n94. \r\n95. $vars = explode('?',$vars);\r\n96. foreach($vars as $code)\r\n97. {\r\n98. $code = decode_unicode_url(\"\\$_REQUEST['\".str_replace('=',\"']='\",$code).\"';\");\r\n99. eval($code);\r\n100. }\r\n101. }\r\n\r\nUser input passed through the \"modname\" request variable is not properly sanitized before being used in\r\na call to the eval() function at line 99. This can be exploited to inject and execute arbitrary PHP code.\r\n\r\n\r\n[-] Solution:\r\n\r\nAs of December 5th, 2013 the only solution is this patch: http://sourceforge.net/p/opensis-ce/code/1009\r\n\r\n\r\n[-] Disclosure Timeline:\r\n\r\n[04/12/2012] - Issue reported to http://sourceforge.net/p/opensis-ce/bugs/59/\r\n[28/12/2012] - Vendor contacted, replied that the next version will fix the issue\r\n[12/01/2013] - CVE number requested\r\n[14/01/2013] - CVE number assigned\r\n[26/04/2013] - Version 5.2 released, however the issue isn't fixed yet\r\n[12/05/2013] - Vendor contacted again\r\n[15/05/2013] - Issue temporarily fixed in the SVN repository (r1009)\r\n[04/12/2013] - After one year still no official solution available\r\n\r\n\r\n[-] CVE Reference:\r\n\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nhas assigned the name CVE-2013-1349 to this vulnerability.\r\n\r\n\r\n[-] Credits:\r\n\r\nVulnerability discovered by Egidio Romano.\n\n# 0day.today [2016-04-20] #", "id": "1337DAY-ID-21638", "sourceHref": "http://0day.today/exploit/21638", "modified": "2013-12-08T00:00:00", "reporter": "EgiX", "enchantments": {"vulnersScore": 6.5}}

{"result": {"cve": [{"id": "CVE-2013-1349", "type": "cve", "title": "CVE-2013-1349", "description": "Eval injection vulnerability in ajax.php in openSIS 4.5 through 5.2 allows remote attackers to execute arbitrary PHP code via the modname parameter.", "published": "2013-12-09T11:36:43", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1349", "cvelist": ["CVE-2013-1349"], "lastseen": "2016-09-03T18:08:12"}], "seebug": [{"id": "SSV-83854", "type": "seebug", "title": "OpenSIS 'modname' - PHP Code Execution", "description": "Summary: \nopenSIS is an open source student information management system. This system contains contact information, schedules, transcripts, health, attendance and other modules.< br/>openSIS 4. 5 to 5. 2 version of the ajax. the php script exists in the eval injection vulnerabilities. A remote attacker could exploit the vulnerability by means of&';modname'parameter to execute arbitrary PHP code.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-83854", "cvelist": ["CVE-2013-1349"], "lastseen": "2016-07-29T01:19:16"}], "packetstorm": [{"id": "PACKETSTORM:124567", "type": "packetstorm", "title": "OpenSIS 'modname' PHP Code Execution", "description": "", "published": "2013-12-23T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/124567/OpenSIS-modname-PHP-Code-Execution.html", "cvelist": ["CVE-2013-1349"], "lastseen": "2016-12-05T22:15:58"}, {"id": "PACKETSTORM:124329", "type": "packetstorm", "title": "openSIS 5.2 PHP Code Injection", "description": "", "published": "2013-12-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/124329/openSIS-5.2-PHP-Code-Injection.html", "cvelist": ["CVE-2013-1349"], "lastseen": "2016-12-05T22:23:34"}], "exploitdb": [{"id": "EDB-ID:30471", "type": "exploitdb", "title": "OpenSIS 'modname' - PHP Code Execution", "description": "OpenSIS 'modname' - PHP Code Execution. CVE-2013-1349. Remote exploit for linux platform", "published": "2013-12-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/30471/", "cvelist": ["CVE-2013-1349"], "lastseen": "2016-02-03T12:26:25"}], "zdt": [{"id": "1337DAY-ID-21707", "type": "zdt", "title": "OpenSIS 'modname' PHP Code Execution Vulnerability", "description": "This Metasploit module exploits a PHP code execution vulnerability in OpenSIS versions 4.5 to 5.2 which allows any authenticated user to execute arbitrary PHP code under the context of the web-server user. The 'ajax.php' file calls 'eval()' with user controlled data from the 'modname' parameter.", "published": "2013-12-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://0day.today/exploit/description/21707", "cvelist": ["CVE-2013-1349"], "lastseen": "2016-04-20T02:07:01"}], "metasploit": [{"id": "MSF:EXPLOIT/UNIX/WEBAPP/OPENSIS_MODNAME_EXEC", "type": "metasploit", "title": "OpenSIS 'modname' PHP Code Execution", "description": "This module exploits a PHP code execution vulnerability in OpenSIS versions 4.5 to 5.2 which allows any authenticated user to execute arbitrary PHP code under the context of the web-server user. The 'ajax.php' file calls 'eval()' with user controlled data from the 'modname' parameter.", "published": "2013-12-19T08:40:48", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-2013-1349"], "lastseen": "2017-08-21T15:30:15"}]}}