ExpressionEngine <= 6.0.2 (Translate::save) PHP Code Injection Vulnerability
• Software Link:
• Affected Versions:
Version 6.0.2 and prior versions.
Version 5.4.1 and prior versions.
• Vulnerability Description:
The vulnerable code is located in the “ExpressionEngine\Controller\Utilities\Translate::save()” method:
private function save($language, $file) { $file = ee()->security->sanitize_filename($file); $dest_dir = $this->languages_dir . $language . '/'; $filename = $file . '_lang.php'; $dest_loc = $dest_dir . $filename; $str = '<?php' . "\n" . '$lang = array(' . "\n\n\n"; ee()->lang->loadfile($file); foreach ($_POST as $key => $val) { $val = str_replace('<script', '', $val); $val = str_replace('<iframe', '', $val); $val = str_replace(array("\\", "'"), array("\\\\", "\'"), $val); $str .= '\'' . $key . '\' => ' . "\n" . '\'' . $val . '\'' . ",\n\n"; } $str .= "''=>''\n);\n\n"; $str .= "// End of File";
$this->load->helper('file'); if (write_file($dest_loc, $str)) { ee('CP/Alert')->makeInline('shared-form') ->asSuccess() ->withTitle(lang('translations_saved')) ->addToBody(sprintf(lang('file_saved'), $dest_loc)) ->defer();
User input passed via keys of POST parameters is not properly sanitized before being assigned to the “$str” variable at line 380. Such a variable will be used in a call to the “write_file()” function at line 402, trying to write user supplied content into the /system/user/language/[lang]/[file]_lang.php file. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires an account with permissions to access the CP translation system utilities.
• Solution:
Upgrade to version 6.0.3, 5.4.2, or later.
• Disclosure Timeline:
[03/02/2021] – Vendor notified through HackerOne
[15/02/2021] – Vulnerability acknowledged by the vendor
[16/02/2021] – CVE number assigned
[17/02/2021] – Version 6.0.3 released
[04/03/2021] – Version 5.4.2 released
[15/03/2021] – Public disclosure
• CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2021-27230 to this vulnerability.
• Credits:
Vulnerability discovered by Egidio Romano.
• Other References: