跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
# Tuleap - Command Injection in Project Wiki

**CVE:** CVE-2017-7981

**CVSSv3:** 9.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C)

**Versions affected:** >= 8.3 and <= 9.6.99.86

## Introduction

Tuleap is a Libre suite to plan, track, code and collaborate on software
projects. Tuleap helps development teams to build awesome applications,
better, faster, easier.

## Background

Tuleap uses PHPWiki as a plugin to provide a weak feature for
projects. The version of PHPWiki used is 1.3.10. This version contains a
command injection vulnerability in the SyntaxHighlighter plugin. Other
applications that use PHPWiki similar to Tuleap will also be affected
by this issue.

The latest version of PHPWiki is 1.5.5 and is no longer vulnerable to this issue.

## Vulnerability

Authenticated users, including unprivileged users, with access to a
project containing a wiki, can exploit this command injection
(CI) vulnerability to gain remote unauthorised access to the server
hosting the Tuleap web application.

RCE is achieved by entering a SyntaxHighlighter plugin directive in a
new wiki page on any wiki available in any project. The SyntaxHighligter
plugin in vulnerable versions of PHPWiki passes the `syntax` argument
to the `proc_open()` PHP builtin function which spawns a process in the
operating system running the web application.

The following is an example plugin directie which would cause the `id(1)`
command to be executed on a Linux server running an affected version
of Tuleap.

```
<?plugin SyntaxHighlighter syntax="c;id"
code to be highlighted
?>
```

The result of the command execution can be seen in the image below.

![command execution](2017.04.tuleap-auth-ci.command-exec.png)

## Versions Affected

This vulnerability has existed in the version of PHPWiki used by the
Tuleap project since at least version 8.3 through to 9.6.99.86.

## References

https://github.com/xdrr/vulnerability-research/blob/master/webapp/tuleap/2017.04.tuleap-auth-ci.md

https://tuleap.net/plugins/tracker/?aid=10159

## Credit

This vulnerability was discovered by Ben N ([email protected]) 19
April 2017.

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。