Miggo Logo

CVE-2021-23803: Incorrect Authorization in latte/latte

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.60253%
Published
1/6/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
latte/lattecomposer< 2.10.62.10.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from inadequate input sanitization in the template parser. The Parser::parse method in latte/latte versions <2.10.6 did not remove control characters from the input. Attackers could exploit this by injecting control characters (e.g., system\x00) into function names. The SecurityPolicy's allowFunctions check would see the malformed function name (system\x00), which wasn't explicitly allowed, but the execution environment would interpret it as 'system' (stripping control characters at runtime), bypassing authorization. The GitHub patch explicitly adds control character removal in Parser.php, confirming this root cause. The PoC demonstrates this bypass using control characters to execute unauthorized functions like system().

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** l*tt*/l*tt* ***or* *.**.*. T**r* is * w*y to *yp*ss *llow*un*tions t**t will *****t t** s**urity o* t** *ppli**tion. W**n t** t*mpl*t* is s*t to *llow/*is*llow t** us* o* **rt*in *un*tions, ***in* *ontrol ***r**t*rs (x**-x**)

Reasoning

T** vuln*r**ility st*ms *rom in***qu*t* input s*nitiz*tion in t** t*mpl*t* p*rs*r. T** P*rs*r::p*rs* m*t*o* in l*tt*/l*tt* v*rsions <*.**.* *i* not r*mov* *ontrol ***r**t*rs *rom t** input. *tt**k*rs *oul* *xploit t*is *y inj**tin* *ontrol ***r**t*rs