•  
      request #10504 Remote code execution through preg_replace() calls
    Infos
    #10504
    Thomas Gerbet (tgerbet)
    2017-10-09 15:12
    2017-07-27 13:16
    10748
    Details
    Remote code execution through preg_replace() calls

    Remote code execution can be achieved by authenticated users capable of accessing certain features.

    Impact

    An attacker could use this vulnerability to execute code on the server as the codendiadm user.
    CVSSv3 score: 7.2 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

    Exploitation

    The administrative function of search and replace of the PHPWiki administration but other sections of Tuleap might also be impacted.

    The issue is due to an improper/missing neutralization of special elements before passing data to preg_replace(). Due to that, an attacker might be able to trigger the modifier PREG_REPLACE_EVAL to achieve code execution.

    To demonstrate the issue with search and replace administrative function of PHPWiki:

    1. Use the WikiAdminSearchReplace plugin by either accessing it from the PHPWiki admin or by adding <?plugin WikiAdminSearchReplace ?> in a wiki page.
    2. Search and replace content in a wiki with the regex feature enabled
    3. Either with an intercepting proxy or by replaying the request after the submission of the form, you want to modify the from parameter to something like somethingmatchinginthepage/e\0 and the to parameter to something like system('id');
    4. Elements will be replaced in the page by the result of your command.

    References

    CWE-624

    Other
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2017-08-07
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2017-09-28 13:29
    Upstream PHPWiki has still not been patched. Hard disclosure deadline is put on 09/10/2017.
    User avatar
    Thomas Gerbet (tgerbet)2017-09-01 14:00
    PHPWiki maintainer has responded to the notification. A fix should be available upstream in the next days.

    I'm fixing the disclosure date to one month from now.
    User avatar
    Thomas Gerbet (tgerbet)2017-08-24 09:45
    The PHPWiki maintainer has been notified again of the issue. If I do not get any acknowledgment, I'm going to move forward disclose the issue on the PHPWiki ML and request a CVE ID for it.
    User avatar
    Thomas Gerbet (tgerbet)2017-08-07 09:45
    The PHPWiki maintainer has been contacted about this issue so it can be fixed upstream.
    User avatar
    Thomas Gerbet (tgerbet)2017-07-31 15:44
    Reopening, rest of Tuleap has not been processed.

    • Status changed from Closed to Reopen
    • Close date cleared
    User avatar
    Integrated into Tuleap 9.10.99.32

    • Status changed from Under implementation to Closed
    • Connected artifacts
    • Close date set to 2017-07-31