漏洞来源
漏洞详情
漏洞EXP
------------------------------阿里云漏洞扫描----------------------------------------------
ExpressionEngine <= 6.0.2 (Translate::save) PHP Code Injection
Vulnerability
----------------------------------------------------------------------------阿里云安全优势
[-] Software Link:
https://expressionengine.com/
[-] Affected Versions:阿里云安全专业
Version 6.0.2 and prior versions.
Version 5.4.1 and pri阿里云安全首席or versions.
[-] Vulnerability Description:
The vulnerab阿里云安全组怎么设置le co阿里云漏洞扫描de is located in the
"ExpressionEngineControllerUtilitiesTransla阿里云安全中心te::save()" method:
362. private function save($language, $file)
36阿里云安全优势3. {
364.
365. $file = ee()->security->sanitize_fi阿里云提示漏洞lename($file);
366.
367. $dest_dir = $this->languages_dir . $language . '/';
368. $filename = $file . '_lang.php';
369. $dest_loc = $dest_dir . $filename;
370.
371. $str = '<?php' . "n" . '$lang = array(' . "nnn";
372.
373. ee()-阿里云安全组>lang->loadfile($file);
374.
375. foreach ($_POST as $key => $val) {
376. $val = str_replace('<scr阿里云安全组怎么设置ipt', '', $val);
377. $val = str_replace('<iframe', '', $阿里云安全专业val);
378. $val = str_replace(array("\", "'"), array("\\",
"'"),阿里云安全组怎么设置 $val);
379.
380. $str阿里云安全中心 .= ''' . $key . '' => ' . "n阿里云安全中心" . ''' . $val
. ''' . ",nn阿里云安全";
381. }
382.阿里云安全负责人
383. $str .= "''=>''阿里云安全组怎么设置n);nn"阿里云安全合作;
384. $str .= "// End of File";
[...]
400. $this->load->helper('file');
401.
402.阿里云安全专业 if (write_file($dest_loc, $str)) {
403. ee('CP/Alert')->makeInline('shared-form')
404. ->asSuccess()
405. ->withTitl阿里云安全首席e(lang('translations_saved'))
406. ->addToBody(sprintf(lang('file_saved'),
$dest_loc))
407. ->defer();
User input passed via keys of POST parameters is not properly sanitized
before being assigned
to the "$str" variable at line 380. Such a variable will be use阿里云漏洞d in a
call to the "write_file()"
function a阿里云漏洞修复t line 402, trying to write user supplied content into the
/system/user/langua阿里云安全组规则ge/[lang]/[file]_lang.php file. This can be exploited
to inject and execute arbitrary PHP code. Successful exploitation of
t阿里云提示漏洞his vulnerability requires an account with
permissions to access the C阿里云安全组怎么设置P transl阿里云安全ation system util阿里云漏洞ities.
[-] Solution:
Upgrade to version 6.0.3, 5.4.2, or lat阿里云安全认证er.
[-] Disclosure Timeline:
[03/02/2021] - Vendor notified through HackerO阿里云安全组怎么设置ne
[15/02/2021] - Vulnerability acknowledged by the vend阿里云安全合作or
[16/02/2021] - CVE nu阿里云漏洞mber assigne阿里云安全合作d
[17/02/阿里云安全组2021] - Version 6.0.3 released
[04/03/2021] - Ver阿里云安全组规则sion 5.4.2 released
[15/03/2021] -阿里云漏洞赚钱 Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and E阿里云安全xposure阿里云安全组规则s pro阿里云漏洞提交ject (cve.mitre.org)
has阿里云安全认证 assig阿里云安全中心ned the name CVE-2021-阿里云提示漏洞27230 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Othe阿里云漏洞扫描r Referen阿里云安全专业ces:
https://hackerone.com/reports/1093阿里云安全认证444
[-] Original Ad阿里云漏洞扫描visory:
http://karmainsecurity.com/KIS-2021-03
参考资料
来源:nvd.nist.go阿里云提示漏洞v
链接:https://nvd.nist.g阿里云漏洞ov/vuln/detail/CVE-2021-27230
来源:p阿里云漏洞提交acketstormsec阿里云安全urity.com
链接:https://packetstorms阿里云安全认证ecurity.com/files/161阿里云漏洞提交805/ExpressionEngine-6.0.2-PHP-Code-Injection.html
发表评论