-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSTI Vulnerability in Admin Menu Add #2662
Comments
As a nzedb admin user I already have full control of the server its on |
I'm confused how I made you upset by trying to fix issues in nZEDb. Spending my free time as I wish is my choice. I'm not asking you to do anything you do not want to do and you can ignore my issues and PRs if that would make you feel better. If you would like to collaborate productively, I have a further question.
So to clarify, if I sign up as a regular user on nZEDb via the sign up process, and them I'm promoted to an admin level in the admin panel, this gives me code execution on the server by design? If so, then close this issue as not a bug. After reading over much of the code base and using nZEDb, that was not my impression. |
Is also not php 7.2 eol? |
@cruatta If you make an PR i will have a look at it. |
I would be very interested in it, would love to see it? |
li3 is maintained again. One of the original creators, and main coder, is back and working through the backlog. |
There is a Server Side Template Injection in
/admin/menu-edit.php?action=submit
, which I'd like to discuss with the community to try and figure out a solution for.Background
Home Page -> Admin Panel -> Site Settings -> Menu Items -> Add
And then add to the Evaluate field a smarty expression which triggers code execution on the server
The above payload drops an example web shell for further exploitation
Expected behaviour
system()
which run arbitrary system commands by design. I understand this might be up for some discussion.Actual behaviour
Steps to reproduce the behaviour
I have created a PoC to demonstrate this along with another vulnerability, which was just patched #2661
https://gitlab.com/cruatta/nzedb-pwn
The text was updated successfully, but these errors were encountered: