Title: Spitfire CMS 1.0.475 (cms_backup_values) PHP Object Injection
Advisory ID: ZSL-2022-5720
Type: Local/Remote
Impact: Manipulation of Data, DoS
Risk: (4/5)
Release Date: 09.12.2022

Summary

Spitfire is a system to manage the content of webpages.

Description

The application is prone to a PHP Object Injection vulnerability due to the unsafe use of unserialize() function. A potential attacker, authenticated, could exploit this vulnerability by sending specially crafted requests to the web application containing malicious serialized input.

Vendor

Claus Muus - http://spitfire.clausmuus.de

Affected Version

1.0.475

Tested On

nginx

Vendor Status

[28.09.2022] Vulnerability discovered.
[28.09.2022] Vendor contacted.
[08.12.2022] No response from the vendor.
[09.12.2022] Public security advisory released.

PoC

spitfirecms_cookieobjinj.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://packetstormsecurity.com/files/170186/
[2] https://cxsecurity.com/issue/WLB-2022120026
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/244359
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47083
[5] https://www.tenable.com/cve/CVE-2022-47083
[6] https://nvd.nist.gov/vuln/detail/CVE-2022-47083
[7] https://www.exploit-db.com/exploits/51162

Changelog

[09.12.2022] - Initial release
[10.12.2022] - Added reference [1]
[14.12.2022] - Added reference [2]
[10.02.2023] - Added reference [3], [4], [5] and [6]
[10.04.2023] - Added reference [7]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk