Unrestricted Logging Filename Lead to RCE in lirantal/daloradius

Valid

Reported on

Jan 3rd 2023

Description

This vulnerability occur because there is no filename restriction for saving logging file. In this case attacker can set the filename to existing php file and append php code on it by manipulating the logged input.

Proof of Concept

Log in using operator account, in this case i try to login using operator1 user which is account that i created with ACL Settings only rep_online enabled
Go to config and click on logging settings. Modify filename to any php file that accessible , e.g update.php then enabled Logging of Queries Here i use update.php
Go to rep_online feature and fill the username with php code, e.g phpinfo()
Go to update.php and you will see that phpinfo() successfully injected

Impact

Attacker can gain RCE on server and then takeover the server (read, modify, add, and delete file)

Occurrences

config-logging.php L52

References

OWASP

We are processing your report and will contact the lirantal/daloradius team within 24 hours. 6 days ago

We have contacted a member of the lirantal/daloradius team and are waiting to hear back 5 days ago

A lirantal/daloradius maintainer has acknowledged this report 5 days ago

Filippo modified the Severity from High (8.8) to High (7.2) 5 days ago

Filippo gave praise 5 days ago

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Filippo validated this vulnerability 5 days ago

Zen has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Filippo marked this as fixed in master-branch with commit 2013c2 5 days ago

Filippo has been awarded the fix bounty

This vulnerability has been assigned a CVE

Filippo published this vulnerability 5 days ago

config-logging.php#L52 has been validated

to join this conversation