Lack of Input Sanitazion lead to RCE in lirantal/daloradius

Valid

Reported on

Jan 4th 2023

Description

This vulnerability occur because there is no sanitation on user controlled input during the update configuration process. The input later , written to another .php file and this could lead to RCE.

Proof of Concept

Go to Config then go to Mail Settings
Change the From Email Address value to malicious payload, e.g ';phpinfo();$a='x
Go to config-mail.php or library/daloradius.conf.php to see executed code

Injected code in library/daloradius.conf.php Executed code on config-mail.php Executed code on library/daloradius.conf.php

Impact

Attacker can gain RCE and takeover the server (read, modify, delete, and add file).

Occurrences

config_write.php L62

References

OWASP

We are processing your report and will contact the lirantal/daloradius team within 24 hours. 6 days ago

Filippo modified the Severity from High (8.8) to High (7.2) 5 days ago

A lirantal/daloradius maintainer has acknowledged this report 5 days ago

Filippo gave praise 5 days ago

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Filippo validated this vulnerability 5 days ago

Zen has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Filippo marked this as fixed in master-branch with commit 3650ee 5 days ago

Filippo has been awarded the fix bounty

This vulnerability has been assigned a CVE

Filippo published this vulnerability 5 days ago

config_write.php#L62 has been validated

to join this conversation