Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[KIS-2020-11] qdPM <= 9.1 (executeExport) PHP Object Injection Vulnerability

Related Vulnerabilities: CVE-2020-26165  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="9"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#10">By Date</a>
<a href="11"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="9"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#10">By Thread</a>
<a href="11"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">[KIS-2020-11] qdPM &lt;= 9.1 (executeExport) PHP Object Injection	Vulnerability</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Egidio Romano &lt;n0b0d13s () gmail com&gt;


<em>Date</em>: Wed, 30 Dec 2020 22:19:30 +0100


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">--------------------------------------------------------------
qdPM &lt;= 9.1 (executeExport) PHP Object Injection Vulnerability
--------------------------------------------------------------


[-] Software Link:

<a rel="nofollow" href="http://qdpm.net">http://qdpm.net</a>


[-] Affected Versions:

Version 9.1 and prior versions.


[-] Vulnerability Description:

The vulnerability is located in the
/core/apps/qdPM/modules/timeReport/actions/actions.class.php
script, specifically within the timeReportActions::executeExport() method:

295. public function executeExport(sfWebRequest $request)
296. {
297.   $separator = "\t";
298.   $format = $request-&gt;getParameter('format');
299.   $filename = $request-&gt;getParameter('filename');
300.
301.   $export = unserialize($request-&gt;getParameter('export'));

User input passed through the "export" request parameter is not
properly sanitized before being
used in a call to the unserialize() function at line 301. This can be
exploited by malicious users
to inject arbitrary PHP objects into the application scope, allowing
them to carry out a variety
of attacks, such as executing arbitrary OS commands.


[-] Proof of Concept:

<a rel="nofollow" href="http://karmainsecurity.com/pocs/CVE-2020-26165">http://karmainsecurity.com/pocs/CVE-2020-26165</a>


[-] Solution:

No official solution is currently available.


[-] Disclosure Timeline:

[29/02/2020] - Vendor notified
[08/04/2020] - No response, vendor contacted again
[09/04/2020] - Vendor replies they will fix the vulnerability in a
summer release
[30/09/2020] - Summer is gone and a new version hasn't been released,
vendor contacted again
[30/09/2020] - Vendor replies they're working on version 10, and
should be ready in this year
[30/09/2020] - CVE number requested and assigned
[02/12/2020] - Vendor informed about public disclosure by the end of the year
[30/12/2020] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2020-26165 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

<a rel="nofollow" href="http://karmainsecurity.com/KIS-2020-11">http://karmainsecurity.com/KIS-2020-11</a>

_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a>

</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="9"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#10">By Date</a>
<a href="11"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="9"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#10">By Thread</a>
<a href="11"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>[KIS-2020-11] qdPM &lt;= 9.1 (executeExport) PHP Object Injection	Vulnerability</strong> <em>Egidio Romano (Jan 03)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started