Summary: A security vulnerability has been identified in the Microsoft Graph Library for PHP, specifically within the Microsoft Graph Beta PHP SDK, which could potentially lead to an information disclosure. This issue arises from the inclusion of test code that allows the use of the phpInfo() function from any application able to access and execute the file at vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php. The problem has been resolved in version 2..2, though there are temporary workarounds if you aren't able to immediately deploy the updated package.
Introduction
Microsoft's Graph Library for PHP (microsoft-graph-core) recently had a security vulnerability discovered in its beta version (Microsoft Graph Beta PHP SDK), which is tracked under the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-49283.
The vulnerability lies within the GetPhpInfo.php script of the PHP SDK, which contains a call to the phpinfo() function - a common troubleshooting tool that can expose an abundance of information about a system's configuration, running modules, and environment variables.
Original references
- CVE-2023-49283 details
- GitHub Issue discussing the vulnerability
- Relevant commit that patches the issue
- Microsoft Graph Library for PHP on Packagist
Exploit details
For this vulnerability to be exploited, there must be a misconfiguration of the server hosting the affected PHP application. Such a misconfiguration would involve making the /vendor directory web accessible, thereby allowing an attacker to craft an HTTP request that triggers the phpinfo() method. Consequently, the attacker would obtain system information and potentially use the compromised secrets to access additional data.
Here's a simplified code snippet from the vulnerable GetPhpInfo.php file
<?php
namespace Microsoft\Graph\Core\Tests;
class GetPhpInfo
{
public function displayPhpInfo()
{
phpinfo();
}
}
And an example of an HTTP request crafted by an attacker
GET /vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php HTTP/1.1
Host: target.com
Mitigation
To mitigate this vulnerability, it's highly recommended to update your instance of the Microsoft Graph Library for PHP to version 2..2 or later.
In case you are unable to immediately deploy the updated package, you can implement the following workarounds:
`
vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php
`
2. Remove access to the /vendor directory by updating your web server's configuration. For example, if using Apache, you can add the following in a .htaccess file located in the /vendor directory:
Conclusion
The vulnerability, CVE-2023-49283, is a potential information disclosure issue found in the Microsoft Graph Library for PHP. It requires a misconfiguration on the web server, specifically allowing the /vendor directory to be web accessible. The vulnerability has been patched as of version 2..2, but you can also use one of the recommended workarounds if you're unable to update immediately.
Timeline
Published on: 12/05/2023 23:15:07 UTC
Last modified on: 12/12/2023 13:24:42 UTC