# CVE-2023-0048

## Vulnerability Explanation

This vulnerability occur because there is no **sanitation** on user controlled input during the update configuration process. The input later, written to another **.php** file and this could lead to **RCE**.

## Vulnerability Type

* Code Injection

## CVSS <a href="#user-content-attack-vector" id="user-content-attack-vector"></a>

* [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H](https://nvd.nist.gov/vuln/detail/CVE-2023-0048) (High)

## Vendor <a href="#user-content-vendor-of-product" id="user-content-vendor-of-product"></a>

* [daloRADIUS](https://www.daloradius.com/)

## Affected Version <a href="#user-content-affected-version" id="user-content-affected-version"></a>

* daloRADIUS **<= 1.3**

## Proof of Concept <a href="#user-content-steps-to-reproduce" id="user-content-steps-to-reproduce"></a>

1. Go to **Config** then go to **Mail Settings**
2. Change the From **Email Address** value to **malicious** payload, e.g `';phpinfo();$a='x`
3.

```
<figure><img src="/files/6gK5vQ1PmJuZHQ1JRVec" alt=""><figcaption></figcaption></figure>
```

4. Go to **config-mail.php** or **library/daloradius.conf.php** to see executed code.&#x20;
5. Injected code in **library/daloradius.conf.php** can be seen in image below
6.

```
<figure><img src="/files/1TbksANYeDAq9qrrIRCz" alt=""><figcaption></figcaption></figure>
```

7. Executed code on **config-mail.php** can be seen in image below
8.

```
<figure><img src="/files/mXSJR1S4yK5j4NiCPeuB" alt=""><figcaption></figcaption></figure>
```

9. Executed code on **library/daloradius.conf.php** can be seen in image below
10.

```
<figure><img src="/files/wrk28nVcUZdtymHf0TuD" alt=""><figcaption></figcaption></figure>
```

## Exploit Code <a href="#user-content-exploit-code" id="user-content-exploit-code"></a>

```python
# TBU
```

## Tested On <a href="#user-content-tested-on" id="user-content-tested-on"></a>

* daloRADIUS version: **1.3**

## Disclosure Timeline <a href="#user-content-disclosure-timeline" id="user-content-disclosure-timeline"></a>

* **2023-01-04:** Vulnerability discovered.
* **2023-01-04:** Vulnerability fixed.
* **2023-01-04:** Vulnerability reported to the MITRE corporation.
* **2023-01-04:** CVE has been assigned.
* **2023-01-04:** Public disclosure of the vulnerability.

## Researcher <a href="#user-content-discoverer" id="user-content-discoverer"></a>

* Achmad Zaenuri Dahlan Putra ([kos0ng](https://github.com/kos0ng))

## Additional Information <a href="#user-content-reference" id="user-content-reference"></a>

* <https://huntr.com/bounties/57abd666-4b9c-4f59-825d-1ec832153e79/>
* <https://github.com/lirantal/daloradius/commit/3650eea7277a5c278063214a5b71dbd7d77fc5aa>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kos0ng.gitbook.io/notes/research/2023/cve-2023-0048.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.