Jump to content

Metin2CMS - Reverse Shell Command Execution / Code Injection Fix


Recommended Posts

Hello everybody,

 

Since someone asked me about injections in Metin2CMS (targeted CMS: https://metin2cms.cf/), I quickly looked at the code of the CMS mentioned. I also noticed a critical exploit that enables code injections.

 

The file include\functions\sendEmail.php contains the following code:

 

$site_name = $_SERVER['SERVER_NAME'];
if ($site_name == 'localhost' || $site_name == '127.0.0.1') $site_name = 'metin2cms.cf';

 

As of Apache 2, $_SERVER['SERVER_NAME'] can be transmitted from the client to the server via the http header Host (like for $_SERVER['HTTP_HOST'] too).

 

An email is sent in the same file using PHPMailer and the sender is set as follows:

 

$mail->SetFrom($email_name . '@' . $site_name, $site_title);

 

The script include\mailer\PHPMailer.php validates the sender as follows:

 

if (!empty($this->Sender) and static::validateAddress($this->Sender))
{
    if (self::isShellSafe($this->Sender))
    {
        $params = sprintf('-f%s', $this->Sender);
    }
}

The validateAddress function uses FILTER_VALIDATE_EMAIL according to RFC 822, which is not sufficient to check e-mails.

 

The isShellSafe function uses escapeshellcmd, which prevents additional commands from being executed, but it is still possible to pass additional parameters / flags that allow the execution of PHP code.

 

I wrote with Ionut and thanks to him he already released a full solution for this here: https://github.com/IonutPopescuRO/Metin2CMS/commit/b81859d7962d3054d18f1cbebff9216d3754f507

 

Fix:

 

Remove:

 

$email_name = 'noreplay';

$site_name = $_SERVER['SERVER_NAME'];
if ($site_name == 'localhost' || $site_name == '127.0.0.1')
	$site_name = 'metin2cms.cf';

 

Replace:

 

$mail->SetFrom($email_name . '@' . $site_name, $site_title);
$mail->AddReplyTo($email_name . "@" . $site_name, $site_title);

 

With:

 

$mail->SetFrom($email_username, $site_title);
$mail->AddReplyTo($email_username, $site_title);

 

Btw, i would not suggest setting the variable through Apache using ServerName and UseCanonicalName. These variables should not be used in productive environments.

 

Hope it helps. Also thanks to @martysama0134 who reached out to him.

  • Love 3
Link to post
  • VIP
Posted (edited)
2 hours ago, metho said:

I wrote with Ionut and thanks to him he already released a full solution for this here: https://github.com/IonutPopescuRO/Metin2CMS/commit/b81859d7962d3054d18f1cbebff9216d3754f507

 

He already fixed this long time ago

Spoiler

43e96ef31f8550e834be31aa711bd983.gif

 

But what about Encoding, cus in his commit is nothing about this ?

$mail->Encoding = 'base64';

 

Edited by ⚡FlasH⚡ (see edit history)
Link to post

@⚡FlasH⚡  Strange, i downloaded the lastest version, encountered the issue, fixed it, posted it on another forum and get in contact with him personally. My guess would be, he implemented it as a sort of feature and now reverted it back to its original state. Maybe he will answer too here @Ionuț

Link to post
  • VIP
2 minutes ago, metho said:

@⚡FlasH⚡  Strange, i downloaded the lastest version, encountered the issue, fixed it, posted it on another forum and get in contact with him personally. My guess would be, he implemented it as a sort of feature and now reverted it back to its original state. Maybe he will answer too here @Ionuț

I had planned this update for some time. It's just that I haven't published anything yet, because I still have work on it. People who come to me to encode their design receive the latest files, so some of them have already this.

I didn't realize it was a security issue. I initially made that change some time ago because many email services need to receive the source email, not one that doesn't exist. :) 

  • Love 1
Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.