关联漏洞
标题:
PHPUnit 安全漏洞
(CVE-2017-9841)
描述:TYPO3是瑞士TYPO3协会维护的一套免费开源的内容管理系统。PHPUnit是其中的一个基于PHP的测试框架。 PHPUnit 4.8.28之前的版本和5.6.3之前的5.x版本中的Util/PHP/eval-stdin.php文件存在安全漏洞。远程攻击者可通过发送以‘<?php’字符串开头的HTTP POST数据利用该漏洞执行任意PHP代码。
描述
CVE-2017-9841 detector script
介绍
# CVE-2017-9841
CVE-2017-9841 detector script by Massimiliano Brasile
WHAT HAPPENED
January 6th, 2020 I was advised of a security issue apparently affecting most versions of PrestaShop (the warning was shared by PS team only internally on 3rd January 2020). After some digging, I have discovered the problem is related to a testing framework library called PHPUnit [1] that is accidentally included in some production modules used in Prestashop 1.7 (distributed either through Prestashop API or with PrestaShop installations). The issue for PHPUnit was labelled CVE-2017-9841 [2] [3], but the warning for Prestashop is active at the moment cause there is at least one bot ( XsamXadoo ) scanning PS websites exactly for this issue [4].
HOW IT WORKS
Technically CVE-2017-9841 refers to the possibility to execute remote code on every application using a bugged version of phpunit/phpunit and January 8th, 2020 an other issue was discovered ( ~~before 4.8.28 and 5.x before 5.6.3~~ related to versions before 7.5.19 for 7.x and 8.5.1 for 8.x [5] ). Since phpunit is a famous framework it looks the issue has impact on main php CMSs (Prestashop, Wordpress, Drupal, ..) and their plugins, but only in case they use it. To help to find these backdoors it is mandatory to check for any inclusion of this testing framework in every subfolder of your web root. So, to speed up the whole thing I have written this little quick&dirty script that helps me to control all the instances of Prestashop or Wordpress I am in charge of.
WHERE TO CHECK
According PS forum [4], these modules need to be checked:
- autoupgrade (versions 4)
- module pscartabandonmentpro ; versions v2.0.1 and 2.0.2
- module ps_checkout ; versions v1.0.8 & v1.0.9
- module ps_facetedsearch ; version v3.0.0 and v2.2.1
- module gamification
But in my tests I have found it also in ps_facetedsearch v3.2.1 module. It was not presented in autoupgrade v4.9+.
HOW TO USE THE SCRIPT
1. copy the bash script in your web root folder (e.g. /var/www/html)
2. execute as root (e.g. sudo ./cve_phpunit.sh) or at least with the right privileges to read all folders and files
3. wait for the recursively scan end and in case of occurrences, it will show for any phpunit/phpunit folder found if it looks a safe or bugged version
HOW TO FIX
In case of bugged version occurence of phpunit instances, update if possible his parent module or remove (delete folder) them if they lack support from their developer; according PS forum, you should completely remove all vendor folders inside these modules, but it needs to be checked!
REFERENCES
[1] https://phpunit.de
[2] https://nvd.nist.gov/vuln/detail/CVE-2017-9841
[3] https://www.cvedetails.com/cve/CVE-2017-9841
[4] https://www.prestashop.com/forums/topic/1012095-hack-prestashop-avec-xsamxadoo-bot
[5] NOT official yet!! see https://github.com/PrestaShop/PrestaShop/issues/17059#issuecomment-572114133
文件快照
[4.0K] /data/pocs/70edd79db06a746d7ca2a67c78127709023ce40a
├── [ 906] cve_phpunit.sh
├── [1.1K] LICENSE
└── [2.9K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。