Zikula Application Framework <= 1.3.6 Multiple PHP Object Injection Vulnerabilities
• Software Link:
• Affected Versions:
Version 1.3.6 and probably prior versions.
• Vulnerabilities Description:
-
Input passed via the “authentication_method_ser” and “authentication_info_ser” POST parameters to index.php (when “module” is set to “users”, “func” is set to “register”, “csrftoken” is set to a valid value, and “registration_info” is set to an arbitrary value) is not properly sanitised before being used in a call to the
unserialize()PHP function. This can be exploited to e.g. delete arbitrary files or inject and execute arbitrary PHP code via specially crafted serialized objects. -
Input passed via the “zikulaMobileTheme” cookie parameter to index.php is not properly sanitised before being used in a call to the
unserialize()PHP function in the /lib/util/SecurityUtil.php script. This can be exploited to e.g. delete arbitrary files or inject and execute arbitrary PHP code via specially crafted serialized objects sent in a “Cookie” header.
• Solution:
Update to version 1.3.7.
• Disclosure Timeline:
[16/01/2014] – Request for contact details
[16/01/2014] – Vendor response
[21/01/2014] – Vendor notified
[26/01/2014] – Vendor response, fix scheduled for mid February
[17/02/2014] – Vendor releases updates
[10/03/2014] – Public disclosure
• CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-2293 to these vulnerabilities.
• Credits:
Vulnerabilities discovered by Egidio Romano, Secunia Research.