Code Injection in namelessmc/nameless

Valid

Reported on

Aug 23rd 2021


✍️ Description

Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation.

https://github.com/NamelessMC/Nameless/ is vulnerable to code injection as shown below:

🕵️‍♂️ Proof of Concept

Vulnerable resource: Nameless/modules/Core/pages/panel/emails.php
Vulnerable variable: $_POST['port']
Perform the following actions with an admin account:

  1. Visit http://localhost/Nameless-2/index.php?route=/panel/core/emails/.
  2. Insert data on the fields. Insert 123); phpinfo();/* in the port field.
  3. Visit http://localhost/Nameless-2/core/email.php and observe the phpinfo is executed.

This vulnerability allows RCE on the server.

💥 Impact

Impact could cover loss of confidentiality, loss of integrity, loss of availability, and/or loss of accountability

We have contacted a member of the namelessmc/nameless team and are waiting to hear back a month ago
We have contacted a member of the namelessmc/nameless team and are waiting to hear back a month ago
Sam validated this vulnerability a month ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sam confirmed that a fix has been merged on a07f9d a month ago
Sam has been awarded the fix bounty