Last July, I published a blog post summarising how Snuffleupagus was doing against high-profile web vulnerabilities, and the conclusion was:
It seems that Snuffleupagus is doing a decent job!
Time to see if it's still the case one year later.
ImpressCMS 1.3.11 — SQL injection
Sebastian Fabry from RIPS found a SQL injection in ImpressCMS. But since the SQL protection feature isn't publicly available, Snuffleupagus doesn't do anything against them.
A possible way to harden the application without disrupting anything would be to
write a rule to check if `$_SERVER['PHP_SELF'] doesn't contain quotes.
WordPress <= 5.2.3: Hardening Bypass
Simon Scannell from RIPS found a bypass of some hardneing-fu in Wordpress boiling down to an LFI, so it's mitigated by the file upload check, and depending of the configuration, it might also be prevented by W^X.
BigTree 4.4.6 — SQLI
Robin Peraglie from RIPS found a couple of issues in BigTree CMS: chaining a CSRF, to exploit an SQL injection, and exfiltrating the data via an XSS. There is also a phar-deserialization RCE.
The CSRF is prevented by samesite attribute, while the SQLI and XSS aren't mitigated. The phar-deserialization is killed by the stream wrapper whitelist.
SuiteCRM — CSRF to SQLI to RCE — CVE-2019-12598 and CVE-2019-12601
Robin Peraglie from RIPS disclosed
a couple of critical vulnerabilities in SuiteCRM.
The CSRF is prevented by samesite attribute,
while the SQLI isn't. The RCE is based on an unserialize, mitigated by the HMAC-for-unserialize
option.
TYPO3 — XSS to RCE
Robin Peraglie from RIPS disclosed
an XSS to RCE in TYPO3. The XSS isn't mitigated by snuffleupagus, but since the RCE is based on an
unserialize, it's mitigated by the HMAC-for-unserialize
option.
Pimcore 6.2.0 — RCE, SQLI and CSRF
Robin Peraglie from RIPS found a couple of issues in Pimcore:
- A command injection, complicated and maybe mitigated against casual attackers by the default ruleset
- A couple of SQL injections, not mitigated by the public version of Snuffleupagus
- Absence of anti-CSRF mecanism, mitigated by the
SameSitecookie attribute
WooCommerce 3.6.4 - CSRF to XSS
Dennis Brinkrolf of RIPS found a CSRF in Woocommerce, leading to an XSS, meaning RCE since this is wordpress.
The CSRF is mitigated by Samesite, killing the XSS as well since it's a
self one.
Prestashop 1.7.6.4 — CSRF to XSS to RCE
Sivanesh Ashok reported in April 2020 a CSRF-to-XSS-to-RCE in Prestashop.
The CSRF is prevented by samesite attribute. The XSS isn't mitigated by Snuffleupagus, but should be blocked by any reasonable CSP policy: nobody should allow executin javascript from within svg. And the RCE is like in Wordpress, a feature: admins can upload themes written in PHP. Interestingly, this is neither caught by the file-upload-checking because the themes are zip files, nor by W^X because an attacker can always mark the php files in the zip file as read-only.
Unraid 6.8.0 — RCE — CVE-2020-5847 and CVE-2020-5849
Sysdream found an authentication bypass as well as a remote code execution in Unraid around January 2020.
The auth bypass is based on a logic flaw, and can't be mitigated in a generic
way. The RCE however, is due to the usage of extract($_GET);,
which is
now mitigated by the default rules set,
albeit to be fair, this function should never be used, especially with such
stupid default values, but well, it's php,
so, yeah, … Amusingly, php's documentation is lying about the name of the
function's parameters, which should be int extract(array var_array [, int extract_type [, string prefix]]) instead.
As a side note, why the fuck is Unraid running php scripts as root‽
Netsweeper's webadmin 6.4.3 — RCE
An "independent Security Researcher" found an unauthenticated remote code execution in Netsweeper's webadmin vulnerability, based on a shell injection. Which should be mitigated by the default ruleset.
Roundcube 1.4.3 — XSS
Roundcube fixed an XSS, present thanks to a logic bug. There is nothing Snuffleupagus can do against those, but it's trivial to write a rule to virtual-patch this particular issue.
Composr — RCE
Megadodo published an unserialize-based RCE in composr, mitigated by the HMAC-for-unserialize option.
Mautic — RCE
Megadodo published an unserialize-based RCE in mautic, mitigated by the HMAC-for-deserialize feature.
Squirrelmail - likely RCE
Hanno Böck published a patch to fix an unserialize-based likely-RCE in squirrelmail, mitigated by the HMAC-for-deserialize feature.
Drupal 8 — RCE
Lorenzo Grespan and Sam Thomas from pentest.co.uk published a fun remote code execution against Drupal 8, chaining:
- A CSRF to create an arbitrary folder, mitigated by the samesite option
- A quirk of
file_get_contents, unmitigated - Some bruteforcing on Linux, none is required on Windows, unmitigated
- Deserialisation-based RCE, mitigated by the HMAC-for-unserialize option
BoltCMS — CSRF to XSS to RCE
Sivanesh Ashok reported in April 2020 a CSRF-to-XSS-to-RCE in BoltCMS.
- The CSRF is prevented by samesite attribute.
- The reflected and stored XSS aren't mitigated by Snuffleupagus.
- The LFI is mitigated by file-upload-checking as well as by W^X.
Trixbox CE — RCE
Anastasios Stasinopoulos disclosed an command injection in (the unmaintained) trixbox CE, mitigated by the default ruleset.
FusionPBX — XSS to RCE
Dustin Cobb from Gotham Digital Science
published
an XSS to RCE in FusionPBX.
The XSS isn't mitigated by snuffleupagus, and the command injection used for the RCE
is made harder to exploit, but isn't full mitigated, since the entire content of the parameter
controlled by the attacker is passed to a system-like function, without any prepending or appending.
Conclusion
Like last year, the only vulnerabilities that weren't killed are either:
- Logic issues, that can't be generically mitigated.
- Client-side issues, like XSS, that are explicitly out of scope.
- Application-specific issues that can't be dealt with in a generic way.
- SQLI, since this part is still private for now.
It seems that Snuffleupagus is still doing a decent job!
Feel free to send me an email if I've missed your favourite web vulnerability.