openSIS <= 5.2 (ajax.php) PHP Code Injection Vulnerability

http://www.opensis.com

• Affected Versions:

All versions from 4.5 to 5.2.

• Vulnerability Description:

The vulnerable code is located in the /ajax.php script:

 86if(clean_param($_REQUEST['modname'],PARAM_NOTAGS))
 87{
 88    if($_REQUEST['_openSIS_PDF']=='true')
 89        ob_start();
 90    if(strpos($_REQUEST['modname'],'?')!==false)
 91    {
 92        $vars = substr($_REQUEST['modname'],(strpos($_REQUEST['modname'],'?')+1));
 93        $modname = substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?'));
 94 
 95        $vars = explode('?',$vars);
 96        foreach($vars as $code)
 97        {
 98            $code = decode_unicode_url("\$_REQUEST['".str_replace('=',"']='",$code)."';");
 99            eval($code);
100        }
101    }

User input passed through the “modname” request variable is not properly sanitized before being used in an eval() call at line 99. This can be exploited to inject and execute arbitrary PHP code.

• Solution:

As of December 5th, 2013 the only solution is this patch: http://sourceforge.net/p/opensis-ce/code/1009

• Disclosure Timeline:

[04/12/2012] – Issue reported to http://sourceforge.net/p/opensis-ce/bugs/59/

[28/12/2012] – Vendor contacted, replied that the next version will fix the issue

[12/01/2013] – CVE number requested

[14/01/2013] – CVE number assigned

[26/04/2013] – Version 5.2 released, however the issue isn’t fixed yet

[12/05/2013] – Vendor contacted again

[15/05/2013] – Issue temporarily fixed in the SVN repository (r1009)

[04/12/2013] – After one year still no official solution available

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1349 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.