Lack of Input Sanitazion lead to RCE in lirantal/daloradius


Reported on

Jan 4th 2023


This vulnerability occur because there is no sanitation on user controlled input during the update configuration process. The input later , written to another .php file and this could lead to RCE.

Proof of Concept

  1. Go to Config then go to Mail Settings

  2. Change the From Email Address value to malicious payload, e.g ';phpinfo();$a='x

  3. Go to config-mail.php or library/daloradius.conf.php to see executed code

Injected code in library/daloradius.conf.php Executed code on config-mail.php Executed code on library/daloradius.conf.php


Attacker can gain RCE and takeover the server (read, modify, delete, and add file).


We are processing your report and will contact the lirantal/daloradius team within 24 hours. a year ago
Filippo modified the Severity from High (8.8) to High (7.2) a year ago
lirantal/daloradius maintainer has acknowledged this report a year ago
Filippo gave praise a year ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Filippo validated this vulnerability a year ago
kos0ng has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Filippo marked this as fixed in master-branch with commit 3650ee a year ago
Filippo has been awarded the fix bounty
This vulnerability has now been published a year ago
config_write.php#L62 has been validated
to join this conversation