- Published on
CVE-2023-47253
Report
Date: 04/11/2023
Author: OpenXP Team
Software: Qualitor
Version: Qualitor <= 8.20
Type: Remote Code Execution
OWASP TOP 10: A03:2021-Injection
References: https://www.imperva.com/learn/application-security/remote-code-execution/
Description
Qualitor is a platform for business process management, and this system is present in various companies in Brazil that can be identified simply by using Google dorking.
Our team identified a vulnerability in the application susceptible to Remote Code Execution (RCE), which allows remote execution of PHP code, such as functions like system() and passthru().
In the code below, you can see the source code of the vulnerable page calling an eval() function, which enables the remote execution of codes. This occurs in the file /html/ad/adpesquisasql/request/processVariavel.php.
include("../../../../configLingua.php");
header("Content-type: text/javascript; charset=".$_SESSION['A_appEncoding']);
header("Expires: Thu, 01 Jan 1990 00:00:00 GMT");
$strReturn = '';
eval($_REQUEST['gridValoresPopHidden']);
importClass('AdPesquisaSqlVar');
$bean = new AdPesquisaSqlVarBean();
$vo = $bean->povoaVoComArray($_REQUEST);
if (in_array($_REQUEST['nmalias'],
array('dtiniciomesatual',
'dtfimmesatual',
'dtiniciomespassado',
[...]
Proof of Concept (POC)
Just access the URL with your PHP code in "gridValoresPopHidden" parameter.
