ExpressionEngine 安全漏洞

漏洞ID 2383904 漏洞类型 其他
发布时间 2021-03-17 更新时间 2021-03-17
CVE编号 CVE-2021-27230

CNNVD-ID CNNVD-2021阿里云漏洞修复03-925
漏洞平台 N/A CVSS评分 N/A
漏洞来源
https://cx阿里云安全专业security.com/issue/WLB-2021030107
http://www.cnn阿里云安全合作v阿里云提示漏洞d.org.cn/web/xxk/ldxqByI阿里云安全组怎么设置d.tag?CNNVD=CNNV阿里云安全D-202103-925
漏洞详情
PHP是PHP社区的共同阿里云安全维护的一种开源阿里云安全首席通用计算机脚本语言。该语言主要用于Web开发,支持多种数据库及操作系统。Packet Tide ExpressionEng阿里云漏洞赚钱ine是美国Packet Tide公司的一套开源的内容管理系统(CMS)。
ExpressionEngine before 5.4.2 and 6.x before 6.0.3 存在安全漏洞,该漏洞允许某些经过身份验证的用户注入PHP代码。
漏洞EXP
------------------------------阿里云漏洞扫描----------------------------------------------
ExpressionEngine <= 6.0.2 (Translate::save) PHP Code Injection
Vulnerability
----------------------------------------------------------------------------阿里云安全优势
[-] Software Link:
https://expressionengine.com/
[-] Affected Versions:阿里云安全专业
Version 6.0.2 and prior versions.
Version 5.4.1 and pri阿里云安全首席or versions.
[-] Vulnerability Description:
The vulnerab阿里云安全组怎么设置le co阿里云漏洞扫描de is located in the
"ExpressionEngineControllerUtilitiesTransla阿里云安全中心te::save()" method:
362.        private function save($language, $file)
36阿里云安全优势3.        {
364.
365.            $file = ee()->security->sanitize_fi阿里云提示漏洞lename($file);
366.
367.            $dest_dir = $this->languages_dir . $language . '/';
368.            $filename = $file . '_lang.php';
369.            $dest_loc = $dest_dir . $filename;
370.
371.            $str = '<?php' . "n" . '$lang = array(' . "nnn";
372.
373.            ee()-阿里云安全组>lang->loadfile($file);
374.
375.            foreach ($_POST as $key => $val) {
376.                $val = str_replace('<scr阿里云安全组怎么设置ipt', '', $val);
377.                $val = str_replace('<iframe', '', $阿里云安全专业val);
378.                $val = str_replace(array("\", "'"), array("\\",
"'"),阿里云安全组怎么设置 $val);
379.
380.                $str阿里云安全中心 .= ''' . $key . '' => ' . "n阿里云安全中心" . ''' . $val
. ''' . ",nn阿里云安全";
381.            }
382.阿里云安全负责人
383.            $str .= "''=>''阿里云安全组怎么设置n);nn"阿里云安全合作;
384.            $str .= "// End of File";
[...]
400.            $this->load->helper('file');
401.
402.阿里云安全专业            if (write_file($dest_loc, $str)) {
403.                ee('CP/Alert')->makeInline('shared-form')
404.                    ->asSuccess()
405.                    ->withTitl阿里云安全首席e(lang('translations_saved'))
406.                    ->addToBody(sprintf(lang('file_saved'),
$dest_loc))
407.                    ->defer();
User input passed via keys of POST parameters is not properly sanitized
before being assigned
to the "$str" variable at line 380. Such a variable will be use阿里云漏洞d in a
call to the "write_file()"
function a阿里云漏洞修复t line 402, trying to write user supplied content into the
/system/user/langua阿里云安全组规则ge/[lang]/[file]_lang.php file. This can be exploited
to inject and execute arbitrary PHP code. Successful exploitation of
t阿里云提示漏洞his vulnerability requires an account with
permissions to access the C阿里云安全组怎么设置P transl阿里云安全ation system util阿里云漏洞ities.
[-] Solution:
Upgrade to version 6.0.3, 5.4.2, or lat阿里云安全认证er.
[-] Disclosure Timeline:
[03/02/2021] - Vendor notified through HackerO阿里云安全组怎么设置ne
[15/02/2021] - Vulnerability acknowledged by the vend阿里云安全合作or
[16/02/2021] - CVE nu阿里云漏洞mber assigne阿里云安全合作d
[17/02/阿里云安全组2021] - Version 6.0.3 released
[04/03/2021] - Ver阿里云安全组规则sion 5.4.2 released
[15/03/2021] -阿里云漏洞赚钱 Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and E阿里云安全xposure阿里云安全组规则s pro阿里云漏洞提交ject (cve.mitre.org)
has阿里云安全认证 assig阿里云安全中心ned the name CVE-2021-阿里云提示漏洞27230 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Othe阿里云漏洞扫描r Referen阿里云安全专业ces:
https://hackerone.com/reports/1093阿里云安全认证444
[-] Original Ad阿里云漏洞扫描visory:
http://karmainsecurity.com/KIS-2021-03
参考资料

来源:nvd.nist.go阿里云提示漏洞v

链接:https://nvd.nist.g阿里云漏洞ov/vuln/detail/CVE-2021-27230

来源:p阿里云漏洞提交acketstormsec阿里云安全urity.com

链接:https://packetstorms阿里云安全认证ecurity.com/files/161阿里云漏洞提交805/ExpressionEngine-6.0.2-PHP-Code-Injection.html