Ticket #407 (closed bug: fixed)
Security Vulnerability in dev/less.php
| Reported by: | mr_me | Owned by: | |
|---|---|---|---|
| Priority: | urgent | Milestone: | FCMS 2.7.2 |
| Component: | Misc. | Version: | 2.7.1 |
| Severity: | Keywords: | security, vulnerability | |
| Cc: | bugs@… |
Description
High guys I just noticed a high risk bug within your software that may allow an attacker to execute arbitrary commands.
Although it is dependent on the victims php.ini configuration, it is still considered a high risk vulnerability as this environment cannot be per-determined.
The vulnerable code is on lines 20-36 in dev/less.php:
~>
$theme = isset($argv[1]) ? $argv[1] : 'default';
system("clear");
if (file_exists("$dir/themes/$theme/style.css"))
{
echo "\n[ themes/$theme/style.css ] already exists.\n\n";
echo "Overwrite [ y/n ] ? ";
$handle = fopen ("php://stdin","r");
$line = fgets($handle);
if (trim($line) != 'y')
{
exit;
}
}
$worked = system("php -q ~/bin/lessphp/lessc $dir/themes/$theme/dev.less > $dir/themes/$theme/style.css");
poc:
http://192.168.220.128/[path]/dev/less.php?argv[1]=|id;
basically, there is a call to system using the trusted parameter array 'argv'.
P.S I created this ticket again with a priority of urgent and a milestone of FCMS 2.7.2 so that you can fix this bug in the new version before the deadline.
Kind regards,
mr_me
