Melis Platform CMS patched for critical RCE flaw

2 years ago 153
BOOK THIS SPACE FOR AD
ARTICLE AD

Adam Bannister 25 October 2022 at 15:20 UTC

POP chain crafted to demonstrate exploitability

Melis Platform CMS patched for critical RCE flaw

Melis Platform, the open source e-commerce and content management system (CMS), was vulnerable to remote code execution (RCE) via a critical deserialization vulnerability.

Tracked as CVE-2022-39297 and with a CVSS score of 9.8, the object injection flaw has been patched along with a pair of high severity bugs by French vendor Melis Technology.

Melis Platform is based on Laminas, a popular PHP framework formally known as Zend, and counts Keyrus, Paco Rabanne, and La Banque Postale among its users.

Read more of the latest PHP security news

The vulnerabilities were discovered by researchers from Swiss security outfit Sonar.

“The main vulnerability we identified comes from the deserialization of user data, something that is known to be unsafe for quite some time now,” Sonar vulnerability researcher Thomas Chauchefoin told The Daily Swig.

“As modern applications are very loosely coupled, it was not immediately obvious, even to an educated eye, that attackers could reach this code. This is where automated code analysis can be very powerful,” they added.

‘Puzzle pieces’

Having established the potential for abuse of PHP’s function with Sonar’s static analysis tool, the researchers tested exploitability by crafting a Property Oriented Programming (POP) chain.

“The fun thing about deserialization vulnerabilities in PHP is that not so many gadget chains are available when you adventure [move] yourself out of the usual targets; they are like small puzzle pieces you have to assemble to obtain code execution,” said Chauchefoin.

“We had to come up with a new chain for the framework Laminas. We added it to PHPGGC, a public database of the most common gadget chains, so other researchers don't have to do this work again!”

Targeting the cache layer

In a blog post, Chauchefoin and Sonar software engineer Karim El Ouerghemmi documented how they targeted Laminas’ cache layer.

“Cache systems are often good targets ‘because they are] designed in a way to be loosely coupled with the rest of the application (e.g. automatically trigger save at the end of the lifecycle of the request by using destructors) and support a broad range of storage backends, including filesystems,” they wrote. “It can also be assumed that gaining the ability to control what's stored in the cache can be abused later upon its retrieval, this data is always considered to be trusted.”

The other high severity issues caught by Sonar’s researchers include CVE-2022-39296, an arbitrary file read bug, and CVE-2022-3929, a DMA re-entrancy vulnerability in the NVM Express Controller (NVME) emulation in QEMU that could lead to denial of service (DoS) or code execution.

Sonar reported the vulnerabilities to Melis Technology back in June 2021 and patched updates were released on September 23, 2022.

The flaws affect versions spanning 2.2.0 and 5.0.0 inclusive, and were remediated in Melis 5.0.1.

DON’T MISS HyperSQL DataBase flaw leaves library vulnerable to RCE

Read Entire Article