Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtZdt1337DAY-ID-35940
HistoryMar 13, 2021 - 12:00 a.m.

QCubed 3.1.1 PHP Object Injection Vulnerability

2021-03-1300:00:00
0day.today
63

0.017 Low

EPSS

Percentile

87.8%

JSON
QCubed PHP Object Injection
===========================

| Target: | QCubed Framework |
| Vendor: | QCubed |
| Version: | all versions including 3.1.1 |
| CVE: | CVE-2020-24914 |
| Accessibility: | Remote |
| Severity: | Critical |
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |

SUMMARY
=======
QCubed is a PHP Model-View-Controller Rappid Application Development framework. (https://github.com/qcubed/qcubed)

VULNERABILITY DESCRIPTION
=========================
A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request.

qcubed/assets/php/profile.php:
<?php 
    require_once('./qcubed.inc.php');

    //Exit gracefully if called directly or profiling data is missing.
    if ( !isset($_POST['intDatabaseIndex']) && !isset($_POST['strProfileData']) && !isset($_POST['strReferrer']) )
        exit('Nothing to profile. No Database Profiling data recived.');

    if ( !isset($_POST['intDatabaseIndex']) || !isset($_POST['strProfileData']) || !isset($_POST['strReferrer']) )
        throw new Exception('Database Profiling data appears to have been corrupted.');

    $intDatabaseIndex = intval($_POST['intDatabaseIndex']);
    $strReferrer = QApplication::HtmlEntities($_POST['strReferrer']);

    $objProfileArray = unserialize(base64_decode($_POST['strProfileData']));  //<-VULNERABLE CODE
    $objProfileArray = QType::Cast($objProfileArray, QType::ArrayType);


VULNERABLE VERSIONS
===================
All versions including 3.1.1 are affected.


TESTED VERSIONS
===============
QCubed 3.1.1

IMPACT
======
An unauthenticated attacker could  execute code remotely.

MITIGATION
==========
A patch was delivered by QCubed that allows to disable the profile-functionality.

VENDOR CONTACT TIMELINE
=======================   

| 2020-04-19 | Contacting the vendor |
| 2020-04-19 | Vendor replied |
| 2020-05-01 | Vendor released a patch at Github |
| 2021-02-15 | Public disclosure |

#  0day.today [2021-09-23]  #

Related

veracode 1
github 1
checkpoint_advisories 1
osv 2
packetstorm 1
prion 1
cve 1
cvelist 1
nvd 1
wallarmlab 1
veracode
veracode
Untrusted Object Deserialization
2021-03-05 01:04:25
github
github
qcubed PHP object injection
2022-05-24 17:43:37
checkpoint_advisories
checkpoint_advisories
Qcubed Remote Code Execution (CVE-2020-24914)
2021-04-28 00:00:00
osv
osv
CVE-2020-24914
2021-03-04 13:15:15
qcubed PHP object injection
2022-05-24 17:43:37
packetstorm
packetstorm
QCubed 3.1.1 PHP Object Injection
2021-03-12 00:00:00
prion
prion
Cross site request forgery (csrf)
2021-03-04 13:15:00
cve
cve
CVE-2020-24914
2021-03-04 13:15:15
cvelist
cvelist
CVE-2020-24914
2021-03-04 12:33:26
nvd
nvd
CVE-2020-24914
2021-03-04 13:15:15
wallarmlab
wallarmlab
Web vulnerabilities exploit weekly digest #1. March 8-15th 2021. VMware vCenter and Apache OFBiz RCE.
2021-03-16 18:22:00

0.017 Low

EPSS

Percentile

87.8%

JSON
Related for 1337DAY-ID-35940
veracode1github1checkpoint_advisories1osv2packetstorm1prion1cve1cvelist1nvd1wallarmlab1