phpGACL 3.3.7 Vulnerabilities Found

The Idappcom Threat Detection Team has been investigating multiple vulnerabilities that have been discovered in phpGACL 3.3.7. We are currently re-creating the exploits so we can provide traffic files and rules to provide protection to our customers.




Description

phpGACL is a set of functions that allows you to apply access control to arbitrary objects (web pages, databases, etc) by other arbitrary objects (users, remote hosts, etc).


Vulnerabilities

CVE Number: CVE-2020-13562, CVE-2020-13563, CVE-2020-13564

Cross-site Scripting: Specially crafted HTTP requests can lead to arbitrary JavaScript execution using multiple parameters.

CVE Number: CVE-2020-13565

Open Redirect: A specially crafted HTTP request can be used to redirect a victim to arbitrary web sites.

CVE Number: CVE-2020-13569 

Cross-site Request Forgery: A specially crafted request can be used to execute arbitrary requests caused by improper input validation.


References

Talos Vulnerability Report 2020-1177

Talos Vulnerability Report 2020-1178

Talos Vulnerability Report 2020-1180