The GOsa_Filter_Settings cookie in GONICUS GOsa 2.7.5.2 is vulnerable to PHP objection injection, which allows a remote authenticated attacker to perform file deletions (in the context of the user account that runs the web server) via a crafted cookie value, because unserialize is used to restore filter settings from a cookie.
GONICUS GOsa 2.7.5.2 is vulnerable to a critical PHP object injection vulnerability. This allows a remote, authenticated attacker to achieve arbitrary file deletion on the server, potentially leading to denial of service or further compromise of the system.
Step 1: Authentication: The attacker must first authenticate to the GOsa web interface. This is a prerequisite for exploiting the vulnerability as the attacker needs to be logged in to set the vulnerable cookie.
Step 2: Payload Creation: The attacker crafts a malicious PHP serialized object. This object is designed to, when unserialized, execute a function that deletes a specified file on the server. The attacker carefully constructs the serialized object to control the file path to be deleted.
Step 3: Cookie Injection: The attacker sets the GOsa_Filter_Settings cookie in their browser with the crafted serialized object as the value. This can be done using browser developer tools or a tool like Burp Suite.
Step 4: Request Submission: The attacker sends a request to the GOsa server, including the malicious GOsa_Filter_Settings cookie.
Step 5: Deserialization and Execution: The GOsa application receives the request and, due to the vulnerability, unserializes the contents of the GOsa_Filter_Settings cookie. The malicious object is unserialized, and the file deletion function is executed, deleting the file specified by the attacker.
Step 6: File Deletion: The server attempts to delete the specified file, potentially leading to denial of service or other consequences depending on the file deleted.
The vulnerability stems from the insecure use of unserialize() on user-controlled data within the GOsa_Filter_Settings cookie. The application fails to properly validate the contents of this cookie before deserializing it. This allows an attacker to craft a malicious serialized object that, when unserialized, triggers arbitrary code execution. Specifically, the attacker can inject a serialized object that, when unserialized, calls a function that deletes files on the server. The root cause is the lack of input validation and sanitization before deserialization, making the application susceptible to object injection attacks. This is a classic example of insecure deserialization, where the application trusts user-supplied data without proper checks.