openSIS <= 5.2 (ajax.php) PHP Code Injection Vulnerability
• Software Link:
• Affected Versions:
All versions from 4.5 to 5.2.
• Vulnerability Description:
The vulnerable code is located in the /ajax.php script:
if(clean_param($_REQUEST['modname'],PARAM_NOTAGS)) { if($_REQUEST['_openSIS_PDF']=='true') ob_start(); if(strpos($_REQUEST['modname'],'?')!==false) { $vars = substr($_REQUEST['modname'],(strpos($_REQUEST['modname'],'?')+1)); $modname = substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?')); $vars = explode('?',$vars); foreach($vars as $code) { $code = decode_unicode_url("\$_REQUEST['".str_replace('=',"']='",$code)."';"); eval($code); } }
User input passed through the “modname” request variable is not properly sanitized before being used
in a call to the eval() function at line 99. This can be exploited to inject and execute arbitrary PHP code.
• Solution:
As of December 5th, 2013 the only solution is this patch: http://sourceforge.net/p/opensis-ce/code/1009
• Disclosure Timeline:
[04/12/2012] – Issue reported to http://sourceforge.net/p/opensis-ce/bugs/59/
[28/12/2012] – Vendor contacted, replied that the next version will fix the issue
[12/01/2013] – CVE number requested
[14/01/2013] – CVE number assigned
[26/04/2013] – Version 5.2 released, however the issue isn’t fixed yet
[12/05/2013] – Vendor contacted again
[15/05/2013] – Issue temporarily fixed in the SVN repository (r1009)
[04/12/2013] – After one year still no official solution available
• CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1349 to this vulnerability.
• Credits:
Vulnerability discovered by Egidio Romano.