Attacker Value

Unknown

Sharetronix <= 3.1.1 Two PHP Code Injection Vulnerabilities

Attacker Value

Unknown

(1 user assessed)

Exploitability

Unknown

(1 user assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

Sharetronix <= 3.1.1 Two PHP Code Injection Vulnerabilities

Disclosure Date: June 13, 2014 •Last updated February 13, 2020

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Sharetronix 3.1.1.3, 3.1.1, and earlier allows remote attackers to execute arbitrary PHP code via the (1) activities_text parameter to services/activities/set or (2) comments_text parameter to services/comments/set, which is not properly handled when executing the preg_replace function with the e modifier.

Add Assessment

wchen-r7 (173)

September 12, 2019 6:07pm UTC (4 years ago)•Edited 4 years ago

Technical Analysis

According to the advisory: http://karmainsecurity.com/KIS-2013-11

Input passed via the “activities_text” POST parameter to /services/activities/set is not properly sanitised before being used in a call to the “preg_replace()” function with the “e” modifier in the /system/classes/class_post.php script. This can be exploited to inject and execute arbitrary PHP code.
Input passed via the “comments_text” POST parameter to /services/comments/set is not properly sanitised before being used in a call to the “preg_replace()” function with the “e” modifier in the /system/classes/class_postcomment.php script. This can be exploited to inject and execute arbitrary PHP code.

And: No official solution is currently available (at the time of advisory publication).

Downloaded Sharetronix 3.1.1 from the official website and found it:

class_postcomment.php

$message	= htmlspecialchars($this->comment_message);

if( FALSE!==strpos($message,'http://') || FALSE!==strpos($message,'http://') || FALSE!==strpos($message,'ftp://') ) {
	$message	= preg_replace('#(^|\s)((http|https|ftp)://\w+[^\s\[\]]+)#ie', 'post::_postparse_build_link("\\2", "\\1")', $message);
}

class_post.php

$message	= htmlspecialchars($this->post_message);
if( FALSE!==strpos($message,'http://') || FALSE!==strpos($message,'http://') || FALSE!==strpos($message,'ftp://') ) {
	$message	= preg_replace('#(^|\s)((http|https|ftp)://\w+[^\s\[\]]+)#ie', 'post::_postparse_build_link("\\2", "\\1")', $message);
}

Unfortunately, in both cases, htmlspecialchars is called over \(this->comment_message or \)this->post_message, so, evenwhen the preg_replace with /e flag is there, you need “ to scape, unfortunately htmlspecialchars is htmlencoding ” (double quotes).

I guess it was silently patched or something like that, unfortunately, I haven’t access to older versions, I can’t find nothing in the vendor homepage :(

References

Advisory

CVE-2013-5352 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5352)

Rapid7

Unknown