![]() ![]() Unauthenticated XSS to Remote Code Execution Chain in Mautic " $cmd = ($_REQUEST) system($cmd) echo "" die }?>% We’ve described this phenomenon in several previous posts: It is very common for admin access to a web application to result in remote code execution privileges on the underlying server. Once the session cookie was captured we were able to set the stolen session cookie in the web browser to access the ResourceSpace home page: Using sqlmap to dump all usernames, password hashes, and session cookies: If the admin’s session cookie is in the database, an attacker can abuse the SQL injection to get access as an admin user. We found that this data includes users’ session cookies, which are stored in the session column in the user table. The unauthenticated SQL injection allows an attacker to dump the entire contents of the ResourceSpace database. sqlmap confirmed the injection as a boolean-based blind SQL injection. We used sqlmap to confirm the SQL injection in a local test environment. The function check_access_key_collection takes in the value of k as the $key variable and directly sends it to a SQL query, resulting in the SQL injection vulnerability. Upon futher inspection, it turns out that the value of upload_collection can be passed in from a cookie called upload_share_active, and the value of 1 can always be used for this share even if no external shares have been set up by the ResourceSpace admin. Along with k, an identifier for the external share, upload_collection, is also passed into the check_access_key_collection function. Parameter k represents an authorization key for an external share, and its value is passed to the check_access_key_collection function in include/user_functions.php. This is parameter k in the file pages/edit_fields/9_ajax/add_keyword.php: ![]() ![]() Those changes inadvertently introduced this vulnerability, specifically we found one instance where an input parameter was not getting sanitized. To implement this feature, changes were made to the authentication and authorization logic. ResourceSpace 9.5 was released in March 2021, and one of the new features announced as part of that release was “external upload shares.” This feature makes it possible for users without ResourceSpace accounts to upload content to ResourceSpace. It requires discipline on the part of developers to consistently apply these sanitization functions. SQL queries are built using string concatenation, and to prevent SQL injection, certain functions like escape_check and getvalescaped are used extensively throughout the code base to sanitize input variables. ResourceSpace is an older-generation PHP application in which many of the core functions and libraries used for input sanitization were built from scratch. CVE-2021-41765: Unauthenticated SQLi to RCE Chain All three vulnerabilities were promptly patched by the vendor, Montala Limited. The other two vulnerabilities identified were CVE-2021-41950, a path traversal vulnerability that can be used to delete arbitrary files on the file system, and CVE-2021-41951, a reflected cross-site scripting (XSS) vulnerability. The most critical is CVE-2021-41765, a pre-auth SQL injection that an attacker can abuse to gain remote code execution (RCE) privileges on the ResourceSpace server. So we decided to pull down the latest source code to take a closer look.ĭuring our assessment of the ResourceSpace code base, we found three new vulnerabilities that could be exploited by an unauthenticated attacker. We thought it was interesting that no vulnerabilities had been publicly disclosed against the product since 2015. ResourceSpace is a digital asset management tool that enables users to organize their digital assets. A few months ago, while scanning the external attack surface of one of our clients, our autonomous pentesting product NodeZero identified an instance of an application called ResourceSpace exposed to the Internet. ![]()
0 Comments
Leave a Reply. |