/

Local file inclusion leading to RCE in unilogies/bumsys

Valid

Reported on

Feb 28th 2023

Description

The api handling endpoint allows for a local file inclusion that can lead to remote code execution. It requires a valid api token which can be obtained via a database backup (with account access), a number of different sql injections (with account access), or stolen from a user.

Proof of Concept

The following request can trigger the vulnerability. A valid api key needs to specified in the secret HTTP header. The route header specifies the file path that will be included (without the .php extension). The attacker needs to get code onto the server which can be accomplished via log poisoning or a different RCE found https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/module/settings/ajax.php#L1712 which allows uploading arbitrary files with extension control.

GET /api/v1/ HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Connection: close
secret: test
route: ../../../../../shell

Impact

Exploitation of this vulnerability could result in remote code execution on the server.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. 3 months ago

Joe Rozner modified the report

3 months ago

We have contacted a member of the unilogies/bumsys team and are waiting to hear back 3 months ago

Khurshid Alam validated this vulnerability 3 months ago

Good finding. Will fix soon. Thank you

Joe Rozner has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Khurshid Alam marked this as fixed in 2.1.1 with commit 86e29d a month ago

Khurshid Alam has been awarded the fix bounty

This vulnerability will not receive a CVE

Khurshid Alam published this vulnerability a month ago

commented a month ago

Maintainer

@admin, please assign a CVE.

commented 23 days ago

Admin

ok :)

to join this conversation

We are processing your report and will contact the unilogies/bumsys team within 24 hours. 3 months ago

Joe Rozner modified the report

3 months ago

We have contacted a member of the unilogies/bumsys team and are waiting to hear back 3 months ago

Khurshid Alam validated this vulnerability 3 months ago

Good finding. Will fix soon. Thank you

Joe Rozner has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Khurshid Alam marked this as fixed in 2.1.1 with commit 86e29d a month ago

Khurshid Alam has been awarded the fix bounty

This vulnerability will not receive a CVE

Khurshid Alam published this vulnerability a month ago

commented a month ago

Maintainer

@admin, please assign a CVE.

commented 23 days ago

Admin

ok :)

to join this conversation