ExpressionEngine 6.0.2 PHP Code Injection Vulnerability

2021-03-16T00:00:00

Description

{"id": "1337DAY-ID-35960", "type": "zdt", "bulletinFamily": "exploit", "title": "ExpressionEngine 6.0.2 PHP Code Injection Vulnerability", "description": "", "published": "2021-03-16T00:00:00", "modified": "2021-03-16T00:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35960", "reporter": "zdt", "references": [], "cvelist": ["CVE-2021-27230"], "immutableFields": [], "lastseen": "2021-09-26T22:49:47", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-27230"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161805"]}], "rev": 4}, "score": {"value": 0.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-27230"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161805"]}, {"type": "threatpost", "idList": ["THREATPOST:5D5241707AB76ED799696E37D048872A", "THREATPOST:7876640D5EC3E8FE3FE885606BBB1C6D"]}]}, "exploitation": null, "vulnersScore": 0.7}, "sourceHref": "https://0day.today/exploit/35960", "sourceData": "----------------------------------------------------------------------------\r\nExpressionEngine <= 6.0.2 (Translate::save) PHP Code Injection \r\nVulnerability\r\n----------------------------------------------------------------------------\r\n\r\n\r\n[-] Software Link:\r\n\r\nhttps://expressionengine.com/\r\n\r\n\r\n[-] Affected Versions:\r\n\r\nVersion 6.0.2 and prior versions.\r\nVersion 5.4.1 and prior versions.\r\n\r\n\r\n[-] Vulnerability Description:\r\n\r\nThe vulnerable code is located in the \r\n\"ExpressionEngine\\Controller\\Utilities\\Translate::save()\" method:\r\n\r\n362. private function save($language, $file)\r\n363. {\r\n364.\r\n365. $file = ee()->security->sanitize_filename($file);\r\n366.\r\n367. $dest_dir = $this->languages_dir . $language . '/';\r\n368. $filename = $file . '_lang.php';\r\n369. $dest_loc = $dest_dir . $filename;\r\n370.\r\n371. $str = '<?php' . \"\\n\" . '$lang = array(' . \"\\n\\n\\n\";\r\n372.\r\n373. ee()->lang->loadfile($file);\r\n374.\r\n375. foreach ($_POST as $key => $val) {\r\n376. $val = str_replace('<script', '', $val);\r\n377. $val = str_replace('<iframe', '', $val);\r\n378. $val = str_replace(array(\"\\\\\", \"'\"), array(\"\\\\\\\\\", \r\n\"\\'\"), $val);\r\n379.\r\n380. $str .= '\\'' . $key . '\\' => ' . \"\\n\" . '\\'' . $val \r\n. '\\'' . \",\\n\\n\";\r\n381. }\r\n382.\r\n383. $str .= \"''=>''\\n);\\n\\n\";\r\n384. $str .= \"// End of File\";\r\n\r\n[...]\r\n\r\n400. $this->load->helper('file');\r\n401.\r\n402. if (write_file($dest_loc, $str)) {\r\n403. ee('CP/Alert')->makeInline('shared-form')\r\n404. ->asSuccess()\r\n405. ->withTitle(lang('translations_saved'))\r\n406. ->addToBody(sprintf(lang('file_saved'), \r\n$dest_loc))\r\n407. ->defer();\r\n\r\nUser input passed via keys of POST parameters is not properly sanitized \r\nbefore being assigned\r\nto the \"$str\" variable at line 380. Such a variable will be used in a \r\ncall to the \"write_file()\"\r\nfunction at line 402, trying to write user supplied content into the\r\n/system/user/language/[lang]/[file]_lang.php file. This can be exploited \r\nto inject and execute arbitrary PHP code. Successful exploitation of \r\nthis vulnerability requires an account with\r\npermissions to access the CP translation system utilities.\r\n\r\n\r\n[-] Solution:\r\n\r\nUpgrade to version 6.0.3, 5.4.2, or later.\r\n\r\n\r\n[-] Disclosure Timeline:\r\n\r\n[03/02/2021] - Vendor notified through HackerOne\r\n[15/02/2021] - Vulnerability acknowledged by the vendor\r\n[16/02/2021] - CVE number assigned\r\n[17/02/2021] - Version 6.0.3 released\r\n[04/03/2021] - Version 5.4.2 released\r\n[15/03/2021] - Public disclosure\r\n\r\n\r\n[-] CVE Reference:\r\n\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nhas assigned the name CVE-2021-27230 to this vulnerability.\r\n\r\n\r\n[-] Credits:\r\n\r\nVulnerability discovered by Egidio Romano.\n\n# 0day.today [2021-09-27] #", "_state": {"dependencies": 1647589307, "score": 1659753002}}

{"cve": [{"lastseen": "2022-07-13T15:59:38", "description": "ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-15T23:15:00", "type": "cve", "title": "CVE-2021-27230", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27230"], "modified": "2022-07-12T17:42:00", "cpe": [], "id": "CVE-2021-27230", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27230", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}], "packetstorm": [{"lastseen": "2021-03-15T21:06:25", "description": "", "published": "2021-03-15T00:00:00", "type": "packetstorm", "title": "ExpressionEngine 6.0.2 PHP Code Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-27230"], "modified": "2021-03-15T00:00:00", "id": "PACKETSTORM:161805", "href": "https://packetstormsecurity.com/files/161805/ExpressionEngine-6.0.2-PHP-Code-Injection.html", "sourceData": "`---------------------------------------------------------------------------- \nExpressionEngine <= 6.0.2 (Translate::save) PHP Code Injection \nVulnerability \n---------------------------------------------------------------------------- \n \n \n[-] Software Link: \n \nhttps://expressionengine.com/ \n \n \n[-] Affected Versions: \n \nVersion 6.0.2 and prior versions. \nVersion 5.4.1 and prior versions. \n \n \n[-] Vulnerability Description: \n \nThe vulnerable code is located in the \n\"ExpressionEngine\\Controller\\Utilities\\Translate::save()\" method: \n \n362. private function save($language, $file) \n363. { \n364. \n365. $file = ee()->security->sanitize_filename($file); \n366. \n367. $dest_dir = $this->languages_dir . $language . '/'; \n368. $filename = $file . '_lang.php'; \n369. $dest_loc = $dest_dir . $filename; \n370. \n371. $str = '<?php' . \"\\n\" . '$lang = array(' . \"\\n\\n\\n\"; \n372. \n373. ee()->lang->loadfile($file); \n374. \n375. foreach ($_POST as $key => $val) { \n376. $val = str_replace('<script', '', $val); \n377. $val = str_replace('<iframe', '', $val); \n378. $val = str_replace(array(\"\\\\\", \"'\"), array(\"\\\\\\\\\", \n\"\\'\"), $val); \n379. \n380. $str .= '\\'' . $key . '\\' => ' . \"\\n\" . '\\'' . $val \n. '\\'' . \",\\n\\n\"; \n381. } \n382. \n383. $str .= \"''=>''\\n);\\n\\n\"; \n384. $str .= \"// End of File\"; \n \n[...] \n \n400. $this->load->helper('file'); \n401. \n402. if (write_file($dest_loc, $str)) { \n403. ee('CP/Alert')->makeInline('shared-form') \n404. ->asSuccess() \n405. ->withTitle(lang('translations_saved')) \n406. ->addToBody(sprintf(lang('file_saved'), \n$dest_loc)) \n407. ->defer(); \n \nUser input passed via keys of POST parameters is not properly sanitized \nbefore being assigned \nto the \"$str\" variable at line 380. Such a variable will be used in a \ncall to the \"write_file()\" \nfunction at line 402, trying to write user supplied content into the \n/system/user/language/[lang]/[file]_lang.php file. This can be exploited \nto inject and execute arbitrary PHP code. Successful exploitation of \nthis vulnerability requires an account with \npermissions to access the CP translation system utilities. \n \n \n[-] Solution: \n \nUpgrade to version 6.0.3, 5.4.2, or later. \n \n \n[-] Disclosure Timeline: \n \n[03/02/2021] - Vendor notified through HackerOne \n[15/02/2021] - Vulnerability acknowledged by the vendor \n[16/02/2021] - CVE number assigned \n[17/02/2021] - Version 6.0.3 released \n[04/03/2021] - Version 5.4.2 released \n[15/03/2021] - Public disclosure \n \n \n[-] CVE Reference: \n \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) \nhas assigned the name CVE-2021-27230 to this vulnerability. \n \n \n[-] Credits: \n \nVulnerability discovered by Egidio Romano. \n \n \n[-] Other References: \n \nhttps://hackerone.com/reports/1093444 \n \n \n[-] Original Advisory: \n \nhttp://karmainsecurity.com/KIS-2021-03 \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161805/KIS-2021-03.txt"}]}

ExpressionEngine 6.0.2 PHP Code Injection Vulnerability

Description

Related