Remote Code Execution in SyliusResourceBundle

Description

Impact

Request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.

The vulnerable versions include: <=1.3.13 || >=1.4.0 <=1.4.6 || >=1.5.0 <=1.5.1 || >=1.6.0 <=1.6.3.

Example

foo:
    path: /foo/{id}
    defaults:
        _sylius:
            repository:
                method: findSome
                arguments:
                    entity: "expr:service('repository').find($id)"

In this case, $id can be prepared in a way that calls other services.

If you visit /foo/"~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~", it will result in a following expression expr:service('repository').find(""~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~""), which will execute a query on the currently connected database.

To find a vulnerability in your application, look for any routing definition that uses request parameters inside expression language.

Patches

This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.

Workarounds

The fix requires adding addslashes in ParametersParser::parseRequestValueExpression to sanitize user input before evaluating it using the expression language.

- return is_string($variable) ? sprintf('"%s"', $variable) : $variable;
+ return is_string($variable) ? sprintf('"%s"', addslashes($variable)) : $variable;

Acknowledgements

This security issue has been reported by Craig Blanchette (@isometriks), thanks a lot!

For more information

If you have any questions or comments about this advisory:
* Email us at [email protected]

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2020-08-19 21:04:25 UTC
Updated
2024-02-06 18:21:27 UTC
GitHub reviewed
2020-08-19 20:30:42 UTC
NVD published
2020-08-19

EPSS Score

Score Percentile
1.06% 77.50%

CVSS Scores

Base score Version Severity Vector
7.7 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Credits

  • isometriks (analyst)
  • tdunlap607 (analyst)

Affected packages (4)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer sylius/resource-bundle >= 1.4.0, < 1.4.7 1.4.7
composer sylius/resource-bundle >= 1.5.0, < 1.5.2 1.5.2
composer sylius/resource-bundle >= 1.6.0, < 1.6.4 1.6.4
composer sylius/resource-bundle >= 1.0.0, < 1.3.14 1.3.14

References

cvelogic Threat Intelligence