what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ForkCMS PHP Object Injection

ForkCMS PHP Object Injection
Posted Mar 12, 2021
Authored by Wolfgang Hotwagner | Site ait.ac.at

ForkCMS versions prior to 5.8.3 suffer from a PHP object injection vulnerability.

tags | exploit, php
advisories | CVE-2020-24036
SHA-256 | fc94d42d043e4a90dc4bd339643f8d95cc873f96e7f9dd33fb84c5094fc4b0a1

ForkCMS PHP Object Injection

Change Mirror Download
ForkCMS PHP Object Injection
=========================
| Identifier: | AIT-SA-20210215-04 |
| Target: | ForkCMS |
| Vendor: | ForkCMS |
| Version: | all versions below version 5.8.3 |
| CVE: | CVE-2020-24036 |
| Accessibility: | Remote |
| Severity: | Medium |
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |

SUMMARY
=========
[ForkCMS is an open source cms written in PHP.](https://www.fork-cms.com/)

VULNERABILITY DESCRIPTION
========================
PHP object injection in the Ajax-endpoint of the backend in ForkCMS below version 5.8.3 allows authenticated remote user to execute malicious code.

The ajax-callbacks for the backend use unserialize without restrictions or any validations. An authenticated user could abuse this to inject malicious PHP-Objects which could lead to remote code execution:

```
<?php

namespace Backend\Core\Ajax;

use Backend\Core\Engine\Base\AjaxAction as BackendBaseAJAXAction;

use Symfony\Component\HttpFoundation\Response;

/**

* This action will generate a valid url based upon the submitted url.

*/

class GenerateUrl extends BackendBaseAJAXAction

{

public function execute(): void

{

// call parent, this will probably add some general CSS/JS or other required files

parent::execute();

// get parameters

$url = $this->getRequest()->request->get('url', '');

$className = $this->getRequest()->request->get('className', '');

$methodName = $this->getRequest()->request->get('methodName', '');

$parameters = $this->getRequest()->request->get('parameters', '');

// cleanup values

$parameters = unserialize($parameters); // $B"+(B VULNERABLE CODE

// fetch generated meta url

$url = urldecode($this->get('fork.repository.meta')->generateUrl($url, $className, $methodName, $parameters));

// output

$this->output(Response::HTTP_OK, $url);

}

}
```

PROOF OF CONCEPT
=================
In order to exploit this vulnerability, an attacker has to be authenticated with least privileges. We tested this exploit with $B!H(BDashboard$B!I(B permissions.

For demonstration purposes we created a proof of concept exploit that deletes files and directories from the webserver. With more effort an attacker might also find a payload for executing a webshell. There are many gadgets available in the vendor directory for potential payloads.

The object-injection code for generating a payload might look as following:

```
'O:27:"Swift_KeyCache_DiskKeyCache":1:{s:4:"keys";a:1:{s:%d:"%s";a:1:{s:%d:"%s";s:9:"something";}}}' % (len(filepath),filepath,len(deletefile),deletefile)
```

VULNERABLE VERSIONS
===================
All versions including 5.8.1 are affected.

TESTED VERSIONS
===============
ForkCMS 5.8.1 (with Debian 10 and PHP 7.3.14-1)

IMPACT
======
An authenticated user with minimal privileges could execute malicious code.


MITIGATION
==========
Fork-5.8.3 fixed that issue

VENDOR CONTACT TIMELINE
========================
| 2020-05-01 | Contacting the vendor |
| 2020-06-08 | Vendor replied |
| 2020-07-07 | Vendor released an updated version |
| 2021-02-15 | Public disclosure |

ADVISORY URL
============
[https://www.ait.ac.at/ait-sa-20210215-04-poi-forkcms](https://www.ait.ac.at/ait-sa-20210215-04-poi-forkcms)


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close