Hello everybody,
Since someone asked me about injections in Metin2CMS (targeted CMS: Bitte melden Sie sich an, um diesen Link zu sehen.), I quickly looked at the code of the CMS mentioned. I also noticed a critical exploit that enables code injections.
The file include\functions\sendEmail.php contains the following code:
As of Apache 2, $_SERVER['SERVER_NAME'] can be transmitted from the client to the server via the http header Host (like for $_SERVER['HTTP_HOST'] too).
An email is sent in the same file using PHPMailer and the sender is set as follows:
The script include\mailer\PHPMailer.php validates the sender as follows:
The validateAddress function uses FILTER_VALIDATE_EMAIL according to RFC 822, which is not sufficient to check e-mails.
The isShellSafe function uses escapeshellcmd, which prevents additional commands from being executed, but it is still possible to pass additional parameters / flags that allow the execution of PHP code.
Fix:
To keep it as simple as possible, it is sufficient if to change in the file include\functions\sendEmail.php:
To:
In that case, server.io would be your domain name.
Hope it helps.