CVE-2023-0048

Vulnerability Explanation

This vulnerability occur because there is no sanitation on user controlled input during the update configuration process. The input later, written to another .php file and this could lead to RCE.

Vulnerability Type

• Code Injection

CVSS

• CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (High)

Vendor

• daloRADIUS

Affected Version

• daloRADIUS <= 1.3

Proof of Concept

1. Go to Config then go to Mail Settings

2. Change the From Email Address value to malicious payload, e.g ';phpinfo();$a='x

4. Go to config-mail.php or library/daloradius.conf.php to see executed code.

5. Injected code in library/daloradius.conf.php can be seen in image below

7. Executed code on config-mail.php can be seen in image below

9. Executed code on library/daloradius.conf.php can be seen in image below

Exploit Code

# TBU

Tested On

• daloRADIUS version: 1.3

Disclosure Timeline

• 2023-01-04: Vulnerability discovered.

• 2023-01-04: Vulnerability fixed.

• 2023-01-04: Vulnerability reported to the MITRE corporation.

• 2023-01-04: CVE has been assigned.

• 2023-01-04: Public disclosure of the vulnerability.

Researcher

• Achmad Zaenuri Dahlan Putra (kos0ng)

Additional Information

• https://huntr.com/bounties/57abd666-4b9c-4f59-825d-1ec832153e79/

• https://github.com/lirantal/daloradius/commit/3650eea7277a5c278063214a5b71dbd7d77fc5aa