Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[KIS-2021-03] ExpressionEngine <= 6.0.2 (Translate::save) PHP Code Injection Vulnerability

Related Vulnerabilities: CVE-2021-27230  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="31"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#32">By Date</a>
<a href="33"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="31"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#32">By Thread</a>
<a href="33"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">[KIS-2021-03] ExpressionEngine &lt;= 6.0.2 (Translate::save) PHP Code Injection Vulnerability</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: research () karmainsecurity com


<em>Date</em>: Mon, 15 Mar 2021 20:13:46 +0100


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">----------------------------------------------------------------------------
</pre><tt>ExpressionEngine &lt;= 6.0.2 (Translate::save) PHP Code Injection 
</tt><tt>Vulnerability
</tt><pre style="margin: 0em;">----------------------------------------------------------------------------


[-] Software Link:

<a rel="nofollow" href="https://expressionengine.com/">https://expressionengine.com/</a>


[-] Affected Versions:

Version 6.0.2 and prior versions.
Version 5.4.1 and prior versions.


[-] Vulnerability Description:

</pre><tt>The vulnerable code is located in the 
</tt><tt>"ExpressionEngine\Controller\Utilities\Translate::save()" method:
</tt><pre style="margin: 0em;">
362.        private function save($language, $file)
363.        {
364.
365.            $file = ee()-&gt;security-&gt;sanitize_filename($file);
366.
367.            $dest_dir = $this-&gt;languages_dir . $language . '/';
368.            $filename = $file . '_lang.php';
369.            $dest_loc = $dest_dir . $filename;
370.
371.            $str = '&lt;?php' . "\n" . '$lang = array(' . "\n\n\n";
372.
373.            ee()-&gt;lang-&gt;loadfile($file);
374.
375.            foreach ($_POST as $key =&gt; $val) {
376.                $val = str_replace('&lt;script', '', $val);
377.                $val = str_replace('&lt;iframe', '', $val);
</pre><tt>378.                $val = str_replace(array("\\", "'"), array("\\\\", 
</tt><tt>"\'"), $val);
</tt><pre style="margin: 0em;">379.
</pre><tt>380.                $str .= '\'' . $key . '\' =&gt; ' . "\n" . '\'' . $val 
</tt><tt>. '\'' . ",\n\n";
</tt><pre style="margin: 0em;">381.            }
382.
383.            $str .= "''=&gt;''\n);\n\n";
384.            $str .= "// End of File";

[...]

400.            $this-&gt;load-&gt;helper('file');
401.
402.            if (write_file($dest_loc, $str)) {
403.                ee('CP/Alert')-&gt;makeInline('shared-form')
404.                    -&gt;asSuccess()
405.                    -&gt;withTitle(lang('translations_saved'))
</pre><tt>406.                    -&gt;addToBody(sprintf(lang('file_saved'), 
</tt><tt>$dest_loc))
</tt><pre style="margin: 0em;">407.                    -&gt;defer();

</pre><tt>User input passed via keys of POST parameters is not properly sanitized 
</tt><tt>before being assigned
</tt><tt>to the "$str" variable at line 380. Such a variable will be used in a 
</tt><tt>call to the "write_file()"
</tt><pre style="margin: 0em;">function at line 402, trying to write user supplied content into the
</pre><tt>/system/user/language/[lang]/[file]_lang.php file. This can be exploited 
</tt><tt>to inject and execute arbitrary PHP code. Successful exploitation of 
</tt><tt>this vulnerability requires an account with
</tt><pre style="margin: 0em;">permissions to access the CP translation system utilities.


[-] Solution:

Upgrade to version 6.0.3, 5.4.2, or later.


[-] Disclosure Timeline:

[03/02/2021] - Vendor notified through HackerOne
[15/02/2021] - Vulnerability acknowledged by the vendor
[16/02/2021] - CVE number assigned
[17/02/2021] - Version 6.0.3 released
[04/03/2021] - Version 5.4.2 released
[15/03/2021] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2021-27230 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Other References:

<a rel="nofollow" href="https://hackerone.com/reports/1093444">https://hackerone.com/reports/1093444</a>


[-] Original Advisory:

<a rel="nofollow" href="http://karmainsecurity.com/KIS-2021-03">http://karmainsecurity.com/KIS-2021-03</a>

_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a>

</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="31"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#32">By Date</a>
<a href="33"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="31"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#32">By Thread</a>
<a href="33"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>[KIS-2021-03] ExpressionEngine &lt;= 6.0.2 (Translate::save) PHP Code Injection Vulnerability</strong> <em>research (Mar 15)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started