metho 4 Posted May 16, 2020 Share Posted May 16, 2020 Hello everybody, Since someone asked me about injections in Metin2CMS (targeted CMS: https://metin2cms.cf/), I quickly looked at the code of the CMS mentioned. I also noticed a critical exploit that enables code injections. The file include\functions\sendEmail.php contains the following code: $site_name = $_SERVER['SERVER_NAME']; if ($site_name == 'localhost' || $site_name == '127.0.0.1') $site_name = 'metin2cms.cf'; As of Apache 2, $_SERVER['SERVER_NAME'] can be transmitted from the client to the server via the http header Host (like for $_SERVER['HTTP_HOST'] too). An email is sent in the same file using PHPMailer and the sender is set as follows: $mail->SetFrom($email_name . '@' . $site_name, $site_title); The script include\mailer\PHPMailer.php validates the sender as follows: if (!empty($this->Sender) and static::validateAddress($this->Sender)) { if (self::isShellSafe($this->Sender)) { $params = sprintf('-f%s', $this->Sender); } } The validateAddress function uses FILTER_VALIDATE_EMAIL according to RFC 822, which is not sufficient to check e-mails. The isShellSafe function uses escapeshellcmd, which prevents additional commands from being executed, but it is still possible to pass additional parameters / flags that allow the execution of PHP code. I wrote with Ionut and thanks to him he already released a full solution for this here: https://github.com/IonutPopescuRO/Metin2CMS/commit/b81859d7962d3054d18f1cbebff9216d3754f507 Fix: Remove: $email_name = 'noreplay'; $site_name = $_SERVER['SERVER_NAME']; if ($site_name == 'localhost' || $site_name == '127.0.0.1') $site_name = 'metin2cms.cf'; Replace: $mail->SetFrom($email_name . '@' . $site_name, $site_title); $mail->AddReplyTo($email_name . "@" . $site_name, $site_title); With: $mail->SetFrom($email_username, $site_title); $mail->AddReplyTo($email_username, $site_title); Btw, i would not suggest setting the variable through Apache using ServerName and UseCanonicalName. These variables should not be used in productive environments. Hope it helps. Also thanks to @martysama0134 who reached out to him. 3 Link to comment Share on other sites More sharing options...
ManiacRobert 429 Posted May 16, 2020 Share Posted May 16, 2020 For lazy people, the fix can be found here. This is the hidden content, please Sign In or Sign Up 11 1 1 2 8 3 Link to comment Share on other sites More sharing options...
⚡FlasH⚡ 65 Posted May 16, 2020 Share Posted May 16, 2020 (edited) 2 hours ago, metho said: I wrote with Ionut and thanks to him he already released a full solution for this here: https://github.com/IonutPopescuRO/Metin2CMS/commit/b81859d7962d3054d18f1cbebff9216d3754f507 He already fixed this long time ago Spoiler But what about Encoding, cus in his commit is nothing about this $mail->Encoding = 'base64'; Edited August 25, 2022 by Metin2 Dev Core X - External 2 Internal Link to comment Share on other sites More sharing options...
metho 4 Posted May 16, 2020 Author Share Posted May 16, 2020 @FlasH Strange, i downloaded the lastest version, encountered the issue, fixed it, posted it on another forum and get in contact with him personally. My guess would be, he implemented it as a sort of feature and now reverted it back to its original state. Maybe he will answer too here @Ionuț Link to comment Share on other sites More sharing options...
IonutRO 936 Posted May 16, 2020 Share Posted May 16, 2020 2 minutes ago, metho said: @FlasH Strange, i downloaded the lastest version, encountered the issue, fixed it, posted it on another forum and get in contact with him personally. My guess would be, he implemented it as a sort of feature and now reverted it back to its original state. Maybe he will answer too here @Ionuț I had planned this update for some time. It's just that I haven't published anything yet, because I still have work on it. People who come to me to encode their design receive the latest files, so some of them have already this. I didn't realize it was a security issue. I initially made that change some time ago because many email services need to receive the source email, not one that doesn't exist. 1 Link to comment Share on other sites More sharing options...
Recommended Posts