X2Engine <= 4.1.7 (SiteController.php) PHP Object Injection Vulnerability


• Affected Versions:

All versions from 2.8 to 4.1.7.

• Vulnerability Description:

The vulnerable code is located in the actionSendErrorReport() method defined in /protected/controllers/SiteController.php:

153public function actionSendErrorReport(){
154    if(isset($_POST['report'])){
155        $errorReport = $_POST['report'];
156        $errorReport = unserialize(base64_decode($errorReport));
157        if(isset($_POST['email'])){
158            $errorReport['email'] = $_POST['email'];
159        }

User input passed through the “report” POST parameter is not properly sanitized before being used in a call to the unserialize() PHP function at line 156. This can be exploited to inject arbitrary PHP objects into the application scope, and could allow an attacker to carry out Server-Side Request Forgery (SSRF) and possibly other attacks via specially crafted serialized objects.

• Solution:

Apply the vendor patch or update to version 4.2 or later.

• Disclosure Timeline:

[31/07/2014] – Vendor notified

[31/07/2014] – Vendor released security patch: http://x2community.com/?showtopic=1804

[01/08/2014] – CVE number requested

[16/08/2014] – CVE number assigned

[05/09/2014] – Version 4.2 released

[23/09/2014] – Public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-5297 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.