[KIS-2023-12] phpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability

[KIS-2023-12] phpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability
2023-10-27 17:45:43 Author: seclists.org(查看原文) 阅读量:13 收藏

Full Disclosure mailing list archives

From: Egidio Romano <research () karmainsecurity com>
Date: Fri, 27 Oct 2023 11:45:29 +0200

--------------------------------------------------------------
phpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability
--------------------------------------------------------------


[-] Software Link:

https://www.phpfox.com


[-] Affected Versions:

Version 4.8.13 and prior versions.


[-] Vulnerability Description:

User input passed through the "url" request parameter to the/core/redirect route is not properly sanitized before being used in acall to the unserialize() PHP function. This can be exploited by remote,unauthenticated attackers to inject arbitrary PHP objects into theapplication scope, allowing them to perform a variety of attacks, suchas executing arbitrary PHP code.



[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2023-46817.php


[-] Solution:

Upgrade to version 4.8.14 or later.


[-] Disclosure Timeline:

[05/10/2023] - Vendor contacted through https://clients.phpfox.com

[05/10/2023] - Vendor response stating "we currently do not have suchsecurity requirements"

[06/10/2023] - CVE identifier requested

[09/10/2023] - Vulnerability details shared with the vendor, stating theissue is quite critical

[17/10/2023] - Vendor contacted again, asking for an update

[18/10/2023] - Vendor response stating "this issue is fixed in ourlatest version (4.8.13)", but that's not the truth

[26/10/2023] - Version 4.8.14 released
[27/10/2023] - CVE identifier assigned
[27/10/2023] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2023-46817 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

https://karmainsecurity.com/KIS-2023-12


[-] Other References:

https://docs.phpfox.com/display/FOX4MAN/phpFox+4.8.14
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

[KIS-2023-12] phpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability Egidio Romano (Oct 27)

文章来源: https://seclists.org/fulldisclosure/2023/Oct/30
如有侵权请联系:admin#unsafe.sh