<!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="31"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#32">By Date</a>
<a href="33"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="31"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#32">By Thread</a>
<a href="33"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>
</div>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">[KIS-2021-03] ExpressionEngine <= 6.0.2 (Translate::save) PHP Code Injection Vulnerability</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
<em>From</em>: research () karmainsecurity com
<em>Date</em>: Mon, 15 Mar 2021 20:13:46 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">----------------------------------------------------------------------------
</pre><tt>ExpressionEngine <= 6.0.2 (Translate::save) PHP Code Injection
</tt><tt>Vulnerability
</tt><pre style="margin: 0em;">----------------------------------------------------------------------------
[-] Software Link:
<a rel="nofollow" href="https://expressionengine.com/">https://expressionengine.com/</a>
[-] Affected Versions:
Version 6.0.2 and prior versions.
Version 5.4.1 and prior versions.
[-] Vulnerability Description:
</pre><tt>The vulnerable code is located in the
</tt><tt>"ExpressionEngine\Controller\Utilities\Translate::save()" method:
</tt><pre style="margin: 0em;">
362. private function save($language, $file)
363. {
364.
365. $file = ee()->security->sanitize_filename($file);
366.
367. $dest_dir = $this->languages_dir . $language . '/';
368. $filename = $file . '_lang.php';
369. $dest_loc = $dest_dir . $filename;
370.
371. $str = '<?php' . "\n" . '$lang = array(' . "\n\n\n";
372.
373. ee()->lang->loadfile($file);
374.
375. foreach ($_POST as $key => $val) {
376. $val = str_replace('<script', '', $val);
377. $val = str_replace('<iframe', '', $val);
</pre><tt>378. $val = str_replace(array("\\", "'"), array("\\\\",
</tt><tt>"\'"), $val);
</tt><pre style="margin: 0em;">379.
</pre><tt>380. $str .= '\'' . $key . '\' => ' . "\n" . '\'' . $val
</tt><tt>. '\'' . ",\n\n";
</tt><pre style="margin: 0em;">381. }
382.
383. $str .= "''=>''\n);\n\n";
384. $str .= "// End of File";
[...]
400. $this->load->helper('file');
401.
402. if (write_file($dest_loc, $str)) {
403. ee('CP/Alert')->makeInline('shared-form')
404. ->asSuccess()
405. ->withTitle(lang('translations_saved'))
</pre><tt>406. ->addToBody(sprintf(lang('file_saved'),
</tt><tt>$dest_loc))
</tt><pre style="margin: 0em;">407. ->defer();
</pre><tt>User input passed via keys of POST parameters is not properly sanitized
</tt><tt>before being assigned
</tt><tt>to the "$str" variable at line 380. Such a variable will be used in a
</tt><tt>call to the "write_file()"
</tt><pre style="margin: 0em;">function at line 402, trying to write user supplied content into the
</pre><tt>/system/user/language/[lang]/[file]_lang.php file. This can be exploited
</tt><tt>to inject and execute arbitrary PHP code. Successful exploitation of
</tt><tt>this vulnerability requires an account with
</tt><pre style="margin: 0em;">permissions to access the CP translation system utilities.
[-] Solution:
Upgrade to version 6.0.3, 5.4.2, or later.
[-] Disclosure Timeline:
[03/02/2021] - Vendor notified through HackerOne
[15/02/2021] - Vulnerability acknowledged by the vendor
[16/02/2021] - CVE number assigned
[17/02/2021] - Version 6.0.3 released
[04/03/2021] - Version 5.4.2 released
[15/03/2021] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2021-27230 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Other References:
<a rel="nofollow" href="https://hackerone.com/reports/1093444">https://hackerone.com/reports/1093444</a>
[-] Original Advisory:
<a rel="nofollow" href="http://karmainsecurity.com/KIS-2021-03">http://karmainsecurity.com/KIS-2021-03</a>
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives & RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a>
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="31"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#32">By Date</a>
<a href="33"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="31"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#32">By Thread</a>
<a href="33"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>[KIS-2021-03] ExpressionEngine <= 6.0.2 (Translate::save) PHP Code Injection Vulnerability</strong> <em>research (Mar 15)</em>
</li></ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>