Vulnerability Description:
The vulnerable code is located within the concrete/controllers/single_page/dashboard/system/environment/logging.php
script.
Specifically, into the Logging::update_logging()
method:
public function update_logging()
{
$config = $this->app->make('config');
$request = $this->request;
if (!$this->token->validate('update_logging')) {
return $this->showError($this->token->getErrorMessage());
}
// Load in variables from the request
$mode = (string) $request->request->get('logging_mode') === 'advanced' ? 'advanced' : 'simple';
$handler = $mode === 'simple' ? (string) $request->request->get('handler', 'database') : null;
$logFile = $handler === 'file' ? (string) $request->request->get('logFile') : null;
$enableDashboardReport = $request->request->get('enable_dashboard_report') ? true : false;
$loggingLevel = strtoupper((string) $request->request->get('logging_level'));
$intLogErrorsPost = $request->request->get('ENABLE_LOG_ERRORS') === 1 ? 1 : 0;
$intLogEmailsPost = $request->request->get('ENABLE_LOG_EMAILS') === 1 ? 1 : 0;
$intLogApiPost = $request->request->get('ENABLE_LOG_API') === 1 ? 1 : 0;
// Handle 'file' based logging
if ($handler === 'file') {
$directory = dirname($logFile);
// Validate the file name
if (pathinfo($logFile, PATHINFO_EXTENSION) !== 'log') {
return $this->showError(t('The filename provided must be a valid filename and end with .log'));
}
// Validate the file path, create the log file if needed
if (!file_exists($logFile)) {
// If the file doesn't exist, make sure we can create one
if (!is_writable($directory) || !is_dir($directory)) {
return $this->showError(t('Log file does not exist on the server. The directory of the file provided must exist and be writable on the web server.'));
}
User input passed through the “logFile” request parameter is not properly sanitized before being used in a call to the file_exists
function. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope (PHP Object Injection via phar:// stream wrapper), allowing them to carry out a variety of attacks, such as executing arbitrary PHP code.
Reproduction Steps:
log
to File Extensions to Acceptphp phar-generator.php
from the CLI)phar.log
fileapplication/files/4916/0848/5009/phar.log
)phar://./application/files/4916/0848/5009/phar.log
Notes:
The vulnerability has been successfully tested on Concrete5 versions 8.5.4 and 8.5.5 RC1.
This vulnerability might be abused by malicious users to inject and execute arbitrary PHP code on the web server.
However, successful exploitation requires an admin account, and this partially mitigates the issue.