Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #10504 Remote code execution through preg_replace() calls
    Actions
    Infos
    #10504
    Thomas Gerbet (tgerbet)
    2017-10-09 15:12
    2017-07-27 13:16
    10745
    Details
    Remote code execution through preg_replace() calls

    Remote code execution can be achieved by authenticated users capable of accessing certain features.

    Impact

    An attacker could use this vulnerability to execute code on the server as the codendiadm user.
    CVSSv3 score: 7.2 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

    Exploitation

    The administrative function of search and replace of the PHPWiki administration but other sections of Tuleap might also be impacted.

    The issue is due to an improper/missing neutralization of special elements before passing data to preg_replace(). Due to that, an attacker might be able to trigger the modifier PREG_REPLACE_EVAL to achieve code execution.

    To demonstrate the issue with search and replace administrative function of PHPWiki:

    1. Use the WikiAdminSearchReplace plugin by either accessing it from the PHPWiki admin or by adding <?plugin WikiAdminSearchReplace ?> in a wiki page.
    2. Search and replace content in a wiki with the regex feature enabled
    3. Either with an intercepting proxy or by replaying the request after the submission of the form, you want to modify the from parameter to something like somethingmatchinginthepage/e\0 and the to parameter to something like system('id');
    4. Elements will be replaced in the page by the result of your command.

    References

    CWE-624

    Other
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2017-08-07
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #10478 Tuleap Releases 9.11 Delivered 2017-18-08 11:11 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #10504

    Git commit

    tuleap/tuleap/stable

    Merge commit 'refs/changes/78/9078/2' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 3a6419e1f4
    User avatar Yannis ROSSETTO (rossettoy) , 2017-07-31 15:28
    request #10504: Remote code execution through preg_replace() calls in PHPWiki bd3e710349
    User avatar Thomas Gerbet (tgerbet) , 2017-07-31 10:27
    Merge commit 'refs/changes/99/9099/3' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 3c0acdadc6
    User avatar Nicolas Terray (nterray) , 2017-08-03 16:06
    request #10504: Remote code execution through preg_replace() calls in the Tuleap codebase 9c06c390b0
    User avatar Thomas Gerbet (tgerbet) , 2017-08-03 14:31
    Merge commit 'refs/changes/49/9149/3' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 543663ffb0
    User avatar Nicolas Terray (nterray) , 2017-08-04 17:46
    request #10504: Remote code execution through preg_replace() calls e81d92a341
    User avatar Thomas Gerbet (tgerbet) , 2017-08-04 13:56
    Referenced by request #10504

    Artifact Tracker v5

    rel #10478 9.11

    Other

    gerrit #9078
    gerrit #9099
    gerrit #9149
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2017-09-28 13:29
    Upstream PHPWiki has still not been patched. Hard disclosure deadline is put on 09/10/2017.
    User avatar
    Thomas Gerbet (tgerbet)2017-09-01 14:00
    PHPWiki maintainer has responded to the notification. A fix should be available upstream in the next days.

    I'm fixing the disclosure date to one month from now.
    User avatar
    Thomas Gerbet (tgerbet)2017-08-24 09:45
    The PHPWiki maintainer has been notified again of the issue. If I do not get any acknowledgment, I'm going to move forward disclose the issue on the PHPWiki ML and request a CVE ID for it.
    User avatar
    Thomas Gerbet (tgerbet)2017-08-07 09:45
    The PHPWiki maintainer has been contacted about this issue so it can be fixed upstream.
    User avatar
    Thomas Gerbet (tgerbet)2017-07-31 15:44
    Reopening, rest of Tuleap has not been processed.
    • Status changed from Closed to Reopen
    • Close date cleared
    User avatar
    Yannis ROSSETTO (rossettoy)2017-07-31 15:29
    Integrated into Tuleap 9.10.99.32
    • Status changed from Under implementation to Closed
    • Connected artifacts
    • Close date set to 2017-07-31