GitStack 2.3.10 Unauthenticated Remote Code Execution

Homepage:

https://gitstack.com/

Description:

$_SERVER['PHP_AUTH_PW'] is directly passed to exec function.

File: C:\GitStack\gitphp\include\Authentication.class.php

public function authenticate() {
	// Skipped lines
	$authenticated = false;
	$username = $_SERVER['PHP_AUTH_USER'];
	$password = $_SERVER['PHP_AUTH_PW'];
	
	
	// Check if the user is in the array of read users
	if(in_array($username, $users)){
		$authMethod = $this->getAuthMethod();
		// authenticate with ldap or by file
		if($authMethod == "file"){
			$authenticated = $this->authenticateFile($username, $password);
		} if($authMethod == "ldap") {
			$authenticated = $this->authenticateLdap($username, $password);

		}
		if ($authenticated == false){
			$this->denyAuthentication();
		}
	} else {
		
		$this->denyAuthentication();
	}
}

private function authenticateFile($username, $password) {
	// Skipped lines
	$result = exec($installDir . '/apache/bin/openssl.exe passwd -apr1 -salt ' . $currentUser['salt'] . " " . $password);
}

Proof of Concept:

Download Exploit

Timeline: