Advertisement






Concrete5 8.5.5 Phar Deserialization

CVE Category Price Severity
CVE-2021-36766 CWE-502 N/A High
Author Risk Exploitation Type Date
Miguel Angel Marcos High Remote 2021-07-21
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021070128

Below is a copy:

Concrete5 8.5.5 Phar Deserialization
------------------------------------------------------------------------
Concrete5 <= 8.5.5 (Logging Settings) Phar Deserialization Vulnerability
------------------------------------------------------------------------


[-] Software Link:

https://www.concrete5.org


[-] Affected Versions:

Version 8.5.5 and prior versions.


[-] Vulnerability Description:

The vulnerable code is located within the 
/concrete/controllers/single_page/dashboard/system/environment/logging.php 
script. Specifically, into the Logging::update_logging()  method:

61.    public function update_logging()
62.    {
63.        $config = $this->app->make('config');
64.        $request = $this->request;
65.
66.        if (!$this->token->validate('update_logging')) {
67.            return 
$this->showError($this->token->getErrorMessage());
68.        }
69.
70.        // Load in variables from the request
71.        $mode = (string) $request->request->get('logging_mode') === 
'advanced' ? 'advanced' : 'simple';
72.        $handler = $mode === 'simple' ? (string) 
$request->request->get('handler', 'database') : null;
73.        $logFile = $handler === 'file' ? (string) 
$request->request->get('logFile') : null;
74.        $enableDashboardReport = 
$request->request->get('enable_dashboard_report') ? true : false;
75.        $loggingLevel = strtoupper((string) 
$request->request->get('logging_level'));
76.        $intLogErrorsPost = 
$request->request->get('ENABLE_LOG_ERRORS') === 1 ? 1 : 0;
77.        $intLogEmailsPost = 
$request->request->get('ENABLE_LOG_EMAILS') === 1 ? 1 : 0;
78.        $intLogApiPost = $request->request->get('ENABLE_LOG_API') 
=== 1 ? 1 : 0;
79.
80.
81.        // Handle 'file' based logging
82.        if ($handler === 'file') {
83.            $directory = dirname($logFile);
84.
85.            // Validate the file name
86.            if (pathinfo($logFile, PATHINFO_EXTENSION) !== 'log') {
87.                return $this->showError(t('The filename provided 
must be a valid filename and end with .log'));
88.            }
89.
90.            // Validate the file path, create the log file if needed
91.            if (!file_exists($logFile)) {


User input passed through the "logFile" request parameter is not 
properly sanitized before being used in a call to the file_exists() 
function at line 91. This can be exploited by malicious users to inject 
arbitrary PHP objects into the application scope (PHP Object Injection 
via phar:// stream wrapper), allowing them to carry out a variety of 
attacks, such as executing arbitrary PHP code. Successful exploitation 
of this vulnerability requires an administrator account.


[-] Solution:

No official solution is currently available.


[-] Disclosure Timeline:

[20/12/2020] - Vendor notified through HackerOne
[22/12/2020] - Vendor asks suggestions to fix the issue, feedback 
provided
[18/03/2021] - Version 8.5.5 released, vulnerability not fixed
[02/06/2021] - Asked for an update, no response
[06/07/2021] - Asked for an update, no response
[16/07/2021] - CVE number assigned
[19/07/2021] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2021-36766 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Other References:

https://hackerone.com/reports/1063039


[-] Original Advisory:

http://karmainsecurity.com/KIS-2021-05

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum