Headline
Melis Platform CMS patched for critical RCE flaw
POP chain crafted to demonstrate exploitability
Adam Bannister 25 October 2022 at 15:20 UTC
POP chain crafted to demonstrate exploitability
Melis Platform, the open source e-commerce and content management system (CMS), was vulnerable to remote code execution (RCE) via a critical deserialization vulnerability.
Tracked as CVE-2022-39297 and with a CVSS score of 9.8, the object injection flaw has been patched along with a pair of high severity bugs by French vendor Melis Technology.
Melis Platform is based on Laminas, a popular PHP framework formally known as Zend, and counts Keyrus, Paco Rabanne, and La Banque Postale among its users.
Read more of the latest PHP security news
The vulnerabilities were discovered by researchers from Swiss security outfit Sonar.
“The main vulnerability we identified comes from the deserialization of user data, something that is known to be unsafe for quite some time now,” Sonar vulnerability researcher Thomas Chauchefoin told The Daily Swig.
“As modern applications are very loosely coupled, it was not immediately obvious, even to an educated eye, that attackers could reach this code. This is where automated code analysis can be very powerful,” they added.
‘Puzzle pieces’
Having established the potential for abuse of PHP’s function with Sonar’s static analysis tool, the researchers tested exploitability by crafting a Property Oriented Programming (POP) chain.
“The fun thing about deserialization vulnerabilities in PHP is that not so many gadget chains are available when you adventure [move] yourself out of the usual targets; they are like small puzzle pieces you have to assemble to obtain code execution,” said Chauchefoin.
“We had to come up with a new chain for the framework Laminas. We added it to PHPGGC, a public database of the most common gadget chains, so other researchers don’t have to do this work again!”
Targeting the cache layer
In a blog post, Chauchefoin and Sonar software engineer Karim El Ouerghemmi documented how they targeted Laminas’ cache layer.
“Cache systems are often good targets ‘because they are] designed in a way to be loosely coupled with the rest of the application (e.g. automatically trigger save at the end of the lifecycle of the request by using destructors) and support a broad range of storage backends, including filesystems,” they wrote. “It can also be assumed that gaining the ability to control what’s stored in the cache can be abused later upon its retrieval, this data is always considered to be trusted.”
The other high severity issues caught by Sonar’s researchers include CVE-2022-39296, an arbitrary file read bug, and CVE-2022-3929, a DMA re-entrancy vulnerability in the NVM Express Controller (NVME) emulation in QEMU that could lead to denial of service (DoS) or code execution.
Sonar reported the vulnerabilities to Melis Technology back in June 2021 and patched updates were released on September 23, 2022.
The flaws affect versions spanning 2.2.0 and 5.0.0 inclusive, and were remediated in Melis 5.0.1.
DON’T MISS HyperSQL DataBase flaw leaves library vulnerable to RCE
Related news
Communication between the client and the server application of the affected products is partially done using CORBA (Common Object Request Broker Architecture) over TCP/IP. This protocol is not encrypted and allows tracing of internal messages. This issue affects * FOXMAN-UN product: FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C; * UNEM product: UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C. List of CPEs: * cpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R1...
MelisCms provides a full CMS for Melis Platform, including templating system, drag'n'drop of plugins, SEO and many administration tools. Attackers can deserialize arbitrary data on affected versions of `melisplatform/melis-cms`, and ultimately leads to the execution of arbitrary PHP code on the system. Conducting this attack does not require authentication. Users should immediately upgrade to `melisplatform/melis-cms` >= 5.0.1. This issue was addressed by restricting allowed classes when deserializing user-controlled data.
### Impact Attackers can read arbitrary files on affected versions of `melisplatform/melis-asset-manager`, leading to the disclosure of sensitive information. Conducting this attack does not require authentication. Users should immediately upgrade to `melisplatform/melis-asset-manager` >= 5.0.1. ### Patches This issue was addressed by restricting access to files to intended directories only. ### References - https://github.com/melisplatform/melis-asset-manager/commit/a0f75918c049aff78953a0bc91c585153595d1bd ### For more information If you have any questions or comments about this advisory, you can contact: - The original reporters, by sending an email to vulnerability.research [at] sonarsource.com; - The maintainers, by opening an issue on this repository.
### Impact Attackers can deserialize arbitrary data on affected versions of `melisplatform/melis-cms`, and ultimately leads to the execution of arbitrary PHP code on the system. Conducting this attack does not require authentication. Users should immediately upgrade to `melisplatform/melis-cms` >= 5.0.1. ### Patches This issue was addressed by restricting allowed classes when deserializing user-controlled data. ### References - https://github.com/melisplatform/melis-cms/commit/d124b2474699a679a24ec52620cadceb3d4cec11 ### For more information If you have any questions or comments about this advisory, you can contact: - The original reporters, by sending an email to vulnerability.research [at] sonarsource.com; - The maintainers, by opening an issue on this repository.
MelisAssetManager provides deliveries of Melis Platform's assets located in every module's public folder. Attackers can read arbitrary files on affected versions of `melisplatform/melis-asset-manager`, leading to the disclosure of sensitive information. Conducting this attack does not require authentication. Users should immediately upgrade to `melisplatform/melis-asset-manager` >= 5.0.1. This issue was addressed by restricting access to files to intended directories only.