Lack of Input Sanitazion lead to RCE in lirantal/daloradius

Valid

Reported on

Jan 4th 2023


Description

This vulnerability occur because there is no sanitation on user controlled input during the update configuration process. The input later , written to another .php file and this could lead to RCE.

Proof of Concept

  1. Go to Config then go to Mail Settings

  2. Change the From Email Address value to malicious payload, e.g ';phpinfo();$a='x

  3. Go to config-mail.php or library/daloradius.conf.php to see executed code

Injected code in library/daloradius.conf.php Executed code on config-mail.php Executed code on library/daloradius.conf.php

Impact

Attacker can gain RCE and takeover the server (read, modify, delete, and add file).

References

We are processing your report and will contact the lirantal/daloradius team within 24 hours. 6 days ago
Filippo modified the Severity from High (8.8) to High (7.2) 5 days ago
lirantal/daloradius maintainer has acknowledged this report 5 days ago
Filippo gave praise 5 days ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Filippo validated this vulnerability 5 days ago
Zen has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Filippo marked this as fixed in master-branch with commit 3650ee 5 days ago
Filippo has been awarded the fix bounty
This vulnerability has been assigned a CVE
Filippo published this vulnerability 5 days ago
config_write.php#L62 has been validated
to join this conversation