If an attacker steals a session cookie and/or token, he can upload a file anywhere on the root system, and execute RCE
public function parse($file, $skipSave = false)
{
$this->_parser = new Installer_Model_Installer_Module_Parser();
$sanitizedFile = str_replace(array('|', "'", '`'), '', $file);
$this->_parser->setFile($sanitizedFile)
->extract();
$this->_parser->checkDependencies($skipSave);
return $this;
}
Impact
If an attacker steals a session cookie and/or token, he can upload a file anywhere on the root system, and execute RCE
Patches
Patches will be released in 4.20.44 and 5.0.4 updates
The previous hotfix, helps to mitigate this second RCE, check below
IE: Critical RCE on All versions
Workarounds
In the file
app/sae/modules/Installer/Model/Installer.php:156Replace the parse function with this patched one
References
Are there any links users can visit to find out more?