fix Metin2CMS - Reverse Shell Command Execution / Code Injection Fix

[metho 4]

Hello everybody,

 

Since someone asked me about injections in Metin2CMS (targeted CMS: https://metin2cms.cf/), I quickly looked at the code of the CMS mentioned. I also noticed a critical exploit that enables code injections.

 

The file include\functions\sendEmail.php contains the following code:

 

$site_name = $_SERVER['SERVER_NAME'];
if ($site_name == 'localhost' || $site_name == '127.0.0.1') $site_name = 'metin2cms.cf';

 

As of Apache 2, $_SERVER['SERVER_NAME'] can be transmitted from the client to the server via the http header Host (like for $_SERVER['HTTP_HOST'] too).

 

An email is sent in the same file using PHPMailer and the sender is set as follows:

 

$mail->SetFrom($email_name . '@' . $site_name, $site_title);

 

The script include\mailer\PHPMailer.php validates the sender as follows:

 

if (!empty($this->Sender) and static::validateAddress($this->Sender))
{
    if (self::isShellSafe($this->Sender))
    {
        $params = sprintf('-f%s', $this->Sender);
    }
}

The validateAddress function uses FILTER_VALIDATE_EMAIL according to RFC 822, which is not sufficient to check e-mails.

 

The isShellSafe function uses escapeshellcmd, which prevents additional commands from being executed, but it is still possible to pass additional parameters / flags that allow the execution of PHP code.

 

I wrote with Ionut and thanks to him he already released a full solution for this here: https://github.com/IonutPopescuRO/Metin2CMS/commit/b81859d7962d3054d18f1cbebff9216d3754f507

 

Fix:

 

Remove:

 

$email_name = 'noreplay';

$site_name = $_SERVER['SERVER_NAME'];
if ($site_name == 'localhost' || $site_name == '127.0.0.1')
	$site_name = 'metin2cms.cf';

 

Replace:

 

$mail->SetFrom($email_name . '@' . $site_name, $site_title);
$mail->AddReplyTo($email_name . "@" . $site_name, $site_title);

 

With:

 

$mail->SetFrom($email_username, $site_title);
$mail->AddReplyTo($email_username, $site_title);

 

Btw, i would not suggest setting the variable through Apache using ServerName and UseCanonicalName. These variables should not be used in productive environments.

 

Hope it helps. Also thanks to @martysama0134 who reached out to him.

[ManiacRobert 414]

For lazy people, the fix can be found here. 

This is the hidden content, please

• Sign In
• or
• Sign Up

[⚡FlasH⚡ 65]

2 hours ago, metho said:

I wrote with Ionut and thanks to him he already released a full solution for this here: https://github.com/IonutPopescuRO/Metin2CMS/commit/b81859d7962d3054d18f1cbebff9216d3754f507

 

He already fixed this long time ago

Spoiler

 

But what about Encoding, cus in his commit is nothing about this 

$mail->Encoding = 'base64';

 

Edited August 25, 2022 by Metin2 Dev
Core X - External 2 Internal

[metho 4]

@FlasH  Strange, i downloaded the lastest version, encountered the issue, fixed it, posted it on another forum and get in contact with him personally. My guess would be, he implemented it as a sort of feature and now reverted it back to its original state. Maybe he will answer too here @Ionuț

[IonutRO 912]

2 minutes ago, metho said:

@FlasH  Strange, i downloaded the lastest version, encountered the issue, fixed it, posted it on another forum and get in contact with him personally. My guess would be, he implemented it as a sort of feature and now reverted it back to its original state. Maybe he will answer too here @Ionuț

I had planned this update for some time. It's just that I haven't published anything yet, because I still have work on it. People who come to me to encode their design receive the latest files, so some of them have already this.

I didn't realize it was a security issue. I initially made that change some time ago because many email services need to receive the source email, not one that doesn't exist.