Metin2CMS - Reverse shell command execution / code injection fix

  • Hello everybody,


    Since someone asked me about injections in Metin2CMS (targeted CMS: Bitte melden Sie sich an, um diesen Link zu sehen.), I quickly looked at the code of the CMS mentioned. I also noticed a critical exploit that enables code injections.


    The file include\functions\sendEmail.php contains the following code:


    PHP
    1. $site_name = $_SERVER['SERVER_NAME'];
    2. if ($site_name == 'localhost' || $site_name == '127.0.0.1') $site_name = 'metin2cms.cf';


    As of Apache 2, $_SERVER['SERVER_NAME'] can be transmitted from the client to the server via the http header Host (like for $_SERVER['HTTP_HOST'] too).


    An email is sent in the same file using PHPMailer and the sender is set as follows:


    PHP
    1. $mail->SetFrom($email_name . '@' . $site_name, $site_title);


    The script include\mailer\PHPMailer.php validates the sender as follows:


    PHP
    1. if (!empty($this->Sender) and static::validateAddress($this->Sender))
    2. {
    3. if (self::isShellSafe($this->Sender))
    4. {
    5. $params = sprintf('-f%s', $this->Sender);
    6. }
    7. }

    The validateAddress function uses FILTER_VALIDATE_EMAIL according to RFC 822, which is not sufficient to check e-mails. :facepalm:


    The isShellSafe function uses escapeshellcmd, which prevents additional commands from being executed, but it is still possible to pass additional parameters / flags that allow the execution of PHP code.


    Fix:


    To keep it as simple as possible, it is sufficient if to change in the file include\functions\sendEmail.php:


    PHP
    1. $site_name = $_SERVER['SERVER_NAME'];
    2. if ($site_name == 'localhost' || $site_name == '127.0.0.1') $site_name = 'metin2cms.cf';


    To:


    PHP
    1. $site_name = 'server.io';


    In that case, server.io would be your domain name.


    Hope it helps.

  • Dieses Thema enthält 3 weitere Beiträge, die nur für registrierte Benutzer sichtbar sind, bitte registrieren Sie sich oder melden Sie sich an um diese lesen zu können.