boiteasite / cmsuno

An easy and clever tool to create one-page responsive websites

27 stars 8 forks source link

PHP Code Execution via change password function #19

Open KietNA-68 opened 3 years ago

KietNA-68 commented 3 years ago

Dear @boiteasite, I found a security problem can lead to remote code execution in CMSUno version 1.7.2

Description:

sauvePass action in {webroot}/uno/central.php file call to file_put_contents() function to write username to password.php file when user successfully changed password, Becase of filter without ' , " , ; , (), ... the attacker can inject malicious php code into password.php

PoC:

When submit username and password, php code will be executed

boiteasite commented 3 years ago

Hi KietNA,

Thank you very much for this report. This is fixed ! V1.7.3.

Regards

KietNA-68 commented 3 years ago

Hi KietNA,

Thank you very much for this report. This is fixed ! V1.7.3.

Regards

Thanks for you reply