Unrestricted Logging Filename Lead to RCE in lirantal/daloradius
Valid
Reported on
Jan 3rd 2023
Description
This vulnerability occur because there is no filename restriction for saving logging file. In this case attacker can set the filename to existing php file and append php code on it by manipulating the logged input.
Proof of Concept
- Log in using operator account, in this case i try to login using
operator1user which is account that i created with ACL Settings onlyrep_onlineenabled
- Go to config and click on logging settings. Modify filename to any php file that accessible , e.g update.php then enabled
Logging of QueriesHere i use update.php
- Go to rep_online feature and fill the
usernamewith php code, e.gphpinfo()
- Go to update.php and you will see that
phpinfo()successfully injected
Impact
Attacker can gain RCE on server and then takeover the server (read, modify, add, and delete file)
Occurrences
References
We are processing your report and will contact the
lirantal/daloradius
team within 24 hours.
4 months ago
We have contacted a member of the
lirantal/daloradius
team and are waiting to hear back
4 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
The researcher's credibility has increased: +7
config-logging.php#L52
has been validated
to join this conversation
