CVE-2023-0046
Unrestricted Logging Filename Lead to Remote Code Execution
Last updated
Unrestricted Logging Filename Lead to Remote Code Execution
Last updated
This vulnerability occur because there is no filename restriction or validation during file logging saving process. In this case attacker can set the filename to existing php file and append php code on it by manipulating the logged input.
Code Injection
(High)
daloRADIUS <= 1.3
Log in using operator account, in this case i try to login using operator1 user which is account that i created with ACL Settings only rep_online enabled
Go to config and click on logging settings. Modify filename to any php file that accessible , e.g update.php then enabled Logging of Queries.
Go to rep_online feature and fill the username with php code, e.g phpinfo()
Go to update.php and you will see that phpinfo() successfully injected
daloRADIUS version: 1.3
2023-01-03: Vulnerability discovered.
2023-01-04: Vulnerability fixed.
2023-01-04: Vulnerability reported to the MITRE corporation.
2023-01-04: CVE has been assigned.
2023-01-04: Public disclosure of the vulnerability.
Achmad Zaenuri Dahlan Putra ()
