Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="21"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#23">By Date</a>
<a href="24"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="21"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#23">By Thread</a>
<a href="24"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>
</div>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">[KIS-2023-14] PKP-WAL <= 3.4.0-3 (NativeImportExportPlugin) Remote Code Execution Vulnerability</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
<em>From</em>: Egidio Romano <n0b0d13s () gmail com>
<em>Date</em>: Thu, 14 Dec 2023 19:41:05 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">---------------------------------------------------------------------------------
PKP-WAL <= 3.4.0-3 (NativeImportExportPlugin) Remote Code Execution
Vulnerability
---------------------------------------------------------------------------------
[-] Software Links:
<a rel="nofollow" href="https://pkp.sfu.ca">https://pkp.sfu.ca</a>
<a rel="nofollow" href="https://github.com/pkp/pkp-lib">https://github.com/pkp/pkp-lib</a>
[-] Affected Versions:
PKP Web Application Library (aka PKP-WAL or pkp-lib) version 3.4.0-3
and prior versions, as used in Open Journal Systems (OJS), Open
Monograph Press (OMP), and Open Preprint Systems (OPS) before versions
3.4.0-4 or 3.3.0-16.
[-] Vulnerabilities Description:
The vulnerability is located in the
/plugins/importexport/native/filter/PKPNativeFilterHelper.php script.
Specifically, into the
"PKPNativeFilterHelper::parsePublicationCover()" method:
100. public function parsePublicationCover($filter, $node, $object)
101. {
102. $deployment = $filter->getDeployment();
103.
104. $context = $deployment->getContext();
105.
106. $locale = $node->getAttribute('locale');
107. if (empty($locale)) {
108. $locale = $context->getPrimaryLocale();
109. }
110.
111. $coverImagelocale = [];
112. $coverImage = [];
113.
114. for ($n = $node->firstChild; $n !== null; $n = $n->nextSibling) {
115. if ($n instanceof DOMElement) {
116. switch ($n->tagName) {
117. case 'cover_image':
118. $coverImage['uploadName'] = $n->textContent;
119. break;
120. case 'cover_image_alt_text':
121. $coverImage['altText'] = $n->textContent;
122. break;
123. case 'embed':
124. $publicFileManager = new PublicFileManager();
125. $filePath =
$publicFileManager->getContextFilesPath($context->getId()) . '/' .
$coverImage['uploadName'];
126. file_put_contents($filePath,
base64_decode($n->textContent));
127. break;
User input passed through the cover image tags of the import XML file
is not properly sanitized before being used at line 118 to construct a
variable, which is later used as the final part of the filepath used
in a call to the file_put_contents() PHP function at line 126. This
can be exploited to write/overwrite arbitrary files on the web server
via Path Traversal sequences, leading to execution of arbitrary PHP
code.
Successful exploitation of this vulnerability requires an account with
permissions to access the "Import/Export" plugin, such as a Journal
Editor or Production Editor user.
[-] Solution:
Upgrade to version 3.4.0-4 or later.
[-] Disclosure Timeline:
[14/10/2023] - Vendor notified
[26/10/2023] - Vendor fixed the issue and opened a public GitHub
issue: <a rel="nofollow" href="https://github.com/pkp/pkp-lib/issues/9464">https://github.com/pkp/pkp-lib/issues/9464</a>
[05/11/2023] - CVE identifier assigned
[17/11/2023] - Version 3.4.0-4 released
[14/12/2023] - Publication of this advisory
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2023-47271 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
<a rel="nofollow" href="http://karmainsecurity.com/KIS-2023-14">http://karmainsecurity.com/KIS-2023-14</a>
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives & RSS: <a rel="nofollow" href="https://seclists.org/fulldisclosure/">https://seclists.org/fulldisclosure/</a>
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="21"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#23">By Date</a>
<a href="24"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="21"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#23">By Thread</a>
<a href="24"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>[KIS-2023-14] PKP-WAL <= 3.4.0-3 (NativeImportExportPlugin) Remote Code Execution Vulnerability</strong> <em>Egidio Romano (Dec 19)</em>
</li></ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>