Arbitrary PHP code execution in M2.0.2

[scholtz]

I have looked over file Phrase.php and it seems it allows arbitrary php code execution!

Anyone can exploit it by setting the php into language csv file, and with the execution of command 'php bin/magento i18n:collect-phrases -o "lang.csv" -m .' it will execute.

I have modified a bit the Phrase.php to speed up testing:

    /**
     * Compile PHP string based on quotes type it enclosed with
     *
     * @param string $string
     * @return string
     *
     * @SuppressWarnings(PHPMD.EvalExpression)
     */
    private function getCompiledString($string)
    {
        $string = "'.file_put_contents('/tmp/o.html','test');'";
        var_dump($string);
        $encloseQuote = $this->getQuote() == Phrase::QUOTE_DOUBLE ? Phrase::QUOTE_DOUBLE : Phrase::QUOTE_SINGLE;
        //find all occurrences of ' and ", with no \ before it.
        preg_match_all('/(?<!\\\\)[\'"]/', $string, $matches);
        if (count($matches[0]) % 2 !== 0) {
            $string = addslashes($string);
        }
        $evalString = 'return ' . $encloseQuote . $string . $encloseQuote . ';';
        var_dump($evalString);
        $result = eval($evalString);
        var_dump($string);
        var_dump(file_get_contents("/tmp/o.html"));
        exit;
        return is_string($result) ? $result :  $string;
    }

Please do not use eval to evaluate the phrase :)

[scholtz]

There seems to be very similar arbitrary php execution bug in this file https://github.com/magento/magento2/blob/077584c99ebb8007cad176c3b9a0144a05c259cd/lib/internal/Magento/Framework/Data/Collection/Filesystem.php , but this one needs some products to be listed in the filesystem.. With the filtering the attacker should be able to run php script on server from remote host.

    /**
     * The filters renderer and caller
     * Applies to each row, renders once.
     *
     * @param array $row
     * @return bool
     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
     * @SuppressWarnings(PHPMD.EvalExpression)
     */
    protected function _filterRow($row)
    {
        // render filters once
        if (!$this->_isFiltersRendered) {
            $eval = '';
            for ($i = 0; $i < $this->_filterIncrement; $i++) {
                if (isset($this->_filterBrackets[$i])) {
                    $eval .= $this->_renderConditionBeforeFilterElement(
                        $i,
                        $this->_filterBrackets[$i]['is_and']
                    ) . $this->_filterBrackets[$i]['value'];
                } else {
                    $f = '$this->_filters[' . $i . ']';
                    $eval .= $this->_renderConditionBeforeFilterElement(
                        $i,
                        $this->_filters[$i]['is_and']
                    ) .
                        ($this->_filters[$i]['is_inverted'] ? '!' : '') .
                        '$this->_invokeFilter(' .
                        "{$f}['callback'], array({$f}['field'], {$f}['value'], " .
                        '$row))';
                }
            }
            $this->_filterEvalRendered = $eval;
            $this->_isFiltersRendered = true;
        }
        $result = false;
        if ($this->_filterEvalRendered) {
            eval('$result = ' . $this->_filterEvalRendered . ';');
        }
        return $result;
    }

There does not seem to be any verification agains code execution on this variable:

$this->_filterBrackets[$i]['value']

please do not use eval or similar functions, or read the PHP documentation:

The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

[i-daszkowski]

Thank you for reporting this issue. We have created an internal ticket APPSEC-1337 to fix the problem.

[okorshenko]

@scholtz this issue is fixed and merged to develop branch. Thank you for reporting this issue