CVE-2020-29227: Unauthenticated Local File Inclusion In Car Rental Management System 1.0

Image Credit: twitter.com/vj0shii

Web Application Description

Sourcecodester’s Car Rental Management System 1.0
The Car Rental Management System is a PHP/MySQLi based web application that helps to manage a certain car rental business to manage their car rental records. This system has 2 sides which are the admin side the client-side. The admin side of the car rental management system is the side where the company’s management manages the rental records and other related data needed such as the list of the company’s cars for rent. The client-side or borrower side will be served as the booking website of the company for their clients.

Vulnerability

Local File Inclusion vulnerability in Car Rental Management System 1.0 allows an unauthenticated adversary to include PHP files or any system files which leads to the code execution or arbitrary file disclosure.

Vulnerable Endpoint

/index.php?page=

Vulnerable Endpoint

Vulnerable Code

User-Controllable GET parameter `page` assigned to the $page variable

User-Controllable $page variable used in `include` statement without any proper restriction

In this above-shown code, At line 86, the application is assigning user-controllable GET parameter page into the $page variable which is then used in include PHP statement at line 191 without any proper restriction. The application is only restricting the user to include only PHP files by appending the .php to the $page parameter in include statement.

Attack Vector

1. Before PHP 5.3: An unauthenticated adversary can include arbitrary files through Null byte (%00) injection to bypass above restriction.
2. >= PHP 5.3: Null byte injection issue was fixed in PHP 5.3, so the adversary can’t include arbitrary files via Null byte injection but an unauthenticated adversary can still include/execute PHP files like PHP web shells, sensitive PHP files from the system, etc. by exploiting the Local File Inclusion vulnerability. Also, an unauthenticated adversary can disclose/read the code of PHP files of the system through php://filter meta-wrapper.

Note: Through PHP meta-wrapper, an adversary can only read the code of PHP files of the system due to .php extension append restriction.

Proof of Concept

Before PHP 5.3: Reading /etc/passwd file through Null byte (%00) injection

/index.php?page=/etc/passwd%00

LFI via Null Byte Injection

>= PHP 5.3: Reading the db_connect PHP file of the web application through PHP meta-wrapper

/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect

Reading content of db_connect PHP file in base64 through PHP meta-wrapper

Content of db_connect PHP file after base64 decoding

Disclosure Timeline

Reported to the MITRE: 19th Nov 2020
CVE Assigned: 8th Dec 2020
CVE Published: 14th Dec 2020

CVSS Score As Per NIST NVD

CVSS Version 3.x Base Score: 9.8 CRITICAL
CVSS Version 2.0 Base Score: 7.5 HIGH

References

1. https://www.php.net/manual/en/wrappers.php.php
2. https://www.w3schools.com/php/php_includes.asp
3. https://nvd.nist.gov/vuln/detail/CVE-2020-29227
4. https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html

If you enjoyed reading my article do clap and follow on Medium & Twitter:

Twitter: https://twitter.com/loopspell
LinkedIn: https://www.linkedin.com/in/ankitkushwah/