OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity requests, leading to remote code execution. This occurs because lib/DataGrid.php calls unserialize for the parametersactivity:ActivityDataGrid parameter. The PHP object injection exploit chain can leverage an __destruct magic method in guzzlehttp.
References
Link | Resource |
---|---|
https://github.com/snoopysecurity/snoopysecurity.github.io/blob/master/web-application-security/2021/01/16/09_opencats_php_object_injection.html | Patch Third Party Advisory |
https://www.opencats.org/news/ | Vendor Advisory |
https://snoopysecurity.github.io/web-application-security/2021/01/16/09_opencats_php_object_injection.html | Exploit Third Party Advisory |
Configurations
Information
Published : 2021-01-17 22:15
Updated : 2021-01-26 13:44
NVD link : CVE-2021-25294
Mitre link : CVE-2021-25294
JSON object : View
CWE
CWE-502
Deserialization of Untrusted Data
Products Affected
opencats
- opencats