Re: [CVE-2014-1860] PHP object insertion / possible RCE in Contao CMS <= 3.2.4

[Egidio Romano <research () karmainsecurity com>]

Hello,

I believe this CVE should be rejected, because the vulnerabilities
actually don't exist, at least the ones mentioned in this report.

The reason is that user input is passed to the unserialize() function
through the Contao Input class, in which the Input::xssClean() method
removes all the NULL bytes from user input, meaning that an attacker can
be able to manipulate only the *public* properties of the injected
objects, because *protected* and *private* properties of a serialized
object are encoded with NULL bytes.

I haven't found any exploitable magic method in Contao which uses only
*public* properties, and the ones mentioned in the original report are
exploitable only through *protected* properties.

Therefore, unless someone provides a working Proof of Concept, I think
these shouldn't be considered actual security vulnerabilities.

Best Ragards,
Egidio Romano

> Hi,
>
> I have discovered a vulnerability that might lead to code execution in
> Contao CMS <= 3.2.4
> Contao CMS <= 3.2.4 does not properly validate user input in several
> locations which is then passed directly into PHP's unserialize.
>
> This has been fixed in Contao 3.2.5 as per commit:
https://github.com/contao/core/commit/8c9cb044bdc887a8202bb65a64545c025664f957
> and
https://github.com/contao/core/commit/1717336598fdcf1ed3f4ad488e140147cb31516d
> Announcements can be found at
>
> https://contao.org/en/news/contao-3_2_5.html
>
> https://contao.org/en/news/contao-2_11_14.html
>
> Thanks to the Contao developers for being so responsive.
> The full report can be found at my repo in
> https://github.com/pedrib/PoC/blob/master/contao-3.2.4.txt
>
> Regards,
>
> Pedro Ribeiro
> Agile Information Security

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/