Exploiting an N-day vBulletin PHP Object Injection Vulnerability

vBulletin is one of the most popular proprietary forum solutions over the Internet. It is used by some major websites, and according to the BuildWith website, vBulletin currently ranks at the second place on the Forum Software Usage Distribution in the Top 1 Million Sites, with over 2.000 websites using it among the “top 1 million”. vBulletin is also known for some famous 0-day Remote Code Execution (RCE) vulnerabilities that led to significant data breaches in 2019 and 2020. These are presumably the most famous, but it does boast a long history of security vulnerabilities. However, the one we are going to detail in this blog post should be an unknown and silently patched vulnerability that was fixed on July 2019 with the release of version 5.5.3. I’ve decided to write this blog post because I think it might be interesting to show the “magic” and potential of PHP Object Injection vulnerabilities… Let’s dig into it! Continue reading

ImpressCMS: from unauthenticated SQL injection to RCE

According to the official website ImpressCMS is an open source Content Management System (CMS) designed to easily and securely manage multilingual web sites. With this tool maintaining the content of a website becomes as easy as writing a word document. ImpressCMS is the ideal tool for a wide range of users: from business to community users, from large enterprises to people who want a simple, easy to use blogging tool. ImpressCMS is a powerful system that gets outstanding results and it is free!
The application comes with a built-in security module – Protector – which is designed to improve the overall security of ImpressCMS websites and prevent certain web attacks such as Cross-Site Scripting (XSS) and SQL Injection. In this blog post we will see how to bypass such a security mechanism to exploit a couple vulnerabilities I discovered about a year ago, which might eventually allow unauthenticated attackers to execute arbitrary PHP code on the web server (RCE)… Continue reading

Tales of SugarCRM Security Horrors

SugarCRM is a pretty popular Customer Relationship Management (CRM) application written in PHP code. It was born in 2004 as an open source project hosted on SourceForge, a development repository for free software. By June of the same year, the rapid success of the project allowed the original developers to found SugarCRM Inc. and raise $2 million in venture capital. A month later, on July 3, Sugar Open Source version 1.0 was released. In October 2004, more than 35.000 people had downloaded the software which had been upgraded to version 2.0, and it was named “Project of the Month” on SourceForge. Since then, the company has become one of the most popular CRM vendors in the world, and this growing popularity has provided SugarCRM with sixteen consecutive quarters of revenue growth, namely a 80% year-to-year growth reported at the end of 2013. Up until that moment, the project has been developed by the company working close to the development community and releasing both open source (Community Edition) and commercial versions. However, a blog post published in February 2014 provoked angry reactions from the development community, because it was announced that the company would no longer be releasing new open source versions of their Community Edition, and this would have become a bug-fix-only application… Continue reading

Hacking Magento eCommerce For Fun And 17.000 USD

Magento, which was acquired by Ebay Inc back in 2011, is one of the most popular e-commerce platforms written in PHP. There is an interesting bug bounty program in place that offers bounties of up to 10,000$ for Information Disclosure and Remote Code Execution vulnerabilities. In November 2014, I decided to give it a try, so I started looking for security bugs in Magento CE, and almost immediately I discovered a PHP Object Injection vulnerability which (un)fortunately requires administrator privileges in order to be exploited. I thought this reason was good enough to choose not to report my finding under their bug bounty program, since Magento administrators should already be able to upload and execute arbitrary code through the administration panel. However, after a couple of weeks a friend of mine encouraged me to submit the finding, because you never know. So I did it, and when I finished writing my report including a PoC, and I was about to send it, I noticed that the bug had already been (silently!) patched only a few days earlier! The researcher who reported the vulnerability has been awarded with 2,500$ for the very same finding… Continue reading

My adventure at JoomlaDay Italy 2013 (and my thoughts on the JSST)

Just a year ago I had the pleasure to talk about the PHP Object Injection vulnerabilities I discovered in Joomla at the JoomlaDay Italy 2013 held in Naples, one of the most beautiful cities I have ever seen. Today I would like to share with you my experience at that day and some further details about the disclosure process I had with the Joomla! Security Strike Team (JSST). Before that, I would like to take the opportunity to say thank you to Alessandro Rossi (AlexRed), one of the Italian JoomlaDay’s organizers, and most of all the guy who personally invited me on the JoomlaDay’s stage, giving me the chance to show that the vulnerabilities I discovered are actually a bit more critical compared to what the JSST has stated in its bulletins. I’m well aware about the fact that Joomla is an open source project and all developers are working in their spare time, so it’s not so fair pointing the finger at them. On the other hand, as the second most popular CMS software on the Internet, I think its security should be taken very seriously, and I guess this is the reason why in August 2008 they introduced the Joomla! Security Strike Team. Continue reading

Exploiting CVE-2014-1691: Horde Framework PHP Object Injection Vulnerability

Welcome to my third blog post ever, the first in this new year, but still talking about an old friend of mine. Yes, 2014 is here, however the topic is always the same: PHP Object Injection! Perhaps those few people who read my blog are wondering if I will ever write about something else, or whether this is going to be a monothematic blog… Well, who knows?! It could be, or maybe not, but the point is that right now I’m really in love with this kind of vulnerabilities, and today I would like to share with you what in my view is an interesting story about a PHP Object Injection vulnerability which affected the Horde Framework.
I’ve noticed this vulnerability in late May 2013, during my free time, while testing the Horde Framework version 5.1.0. During a first stage I have spotted only a couple of useful magic methods which could be leveraged to carry out some kind of attack. The first interesting thing I noticed was in the Horde_Auth_Passwd::__destruct method, which allows to rename arbitrary files through some of its properties. I thought that this could be exploited somehow even to achieve arbitrary code execution (e.g. renaming a log file into something.php) or to cause a Denial of Service condition by renaming an essential file like /config/conf.php, however the point is that the full path of the file to be renamed should be known, and this requirement increases the attack’s complexity, making the issue quite weak. Continue reading

Yet Another Joomla PHP Object Injection Vulnerability

Last week I have disclosed KIS-2013-04, another PHP Object Injection vulnerability which affects the Joomla CMS. I had initially reported this vulnerability to the Joomla Security Strike Team in December last year, within an e-mail reply about the KIS-2013-03 vulnerability: “Furthermore, I would suggest you to investigate other potentially vulnerable unserialize calls, for example the plgSystemRemember::onAfterInitialise method uses the unserialize function with user input passed through cookies, but I’m not sure it may be exploitable, due to the encryption system”.
In early February have been released new Joomla updates, which included corrections for three security issues, among which the “highlighter” PHP Object Injection vulnerability. However, this updates have not solved the “remember me” vulnerability, for this reason, on February 12, I sent another e-mail to the Joomla Security Strike Team: “I noticed that the unserialize call is still present within the plgSystemRemember::onAfterInitialise method in versions 3.0.3 and 2.5.9, so I was looking a bit deeper, in order to understand if I was wrong when I said «I’m not sure it may be exploitable, due to the encryption system», and sadly I was wrong!”. Continue reading

Analysis of the Joomla PHP Object Injection Vulnerability

Today I have disclosed KIS-2013-03, a PHP Object Injection vulnerability which affects the Joomla CMS. I have reported this vulnerability to the Joomla Security Strike Team only some months ago, but to be honest I have noticed that vulnerable unserialize() a long time before. The only one reason why I have not notified them before is because I thought that it wasn’t exploitable: I had not noticed any useful magic method which could be abused to conduct malicious attacks, so I have come to the conclusion that it wasn’t an actual security vulnerability.
Some time later, after the release of Joomla 3.0, I thought to look again at the Joomla source code in order to see if some useful magic method was added. I didn’t find so much new PHP classes or magic methods compared to those present in Joomla 2.5, but I have noticed a little change inside a destructor method which was the key for me to understand that the vulnerability actually exists and it can be exploited through (but not only) this magic method. Continue reading