lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 13 Aug 2013 12:23:37 +0900
From: 検査検査 <mbsdtest01@...il.com>
To: bugtraq@...urityfocus.com
Subject: CakePHP AssetDispatcher Local File Inclusion Vulnerability

CVE Number:         N/A (not assigned)
Title:              CakePHP AssetDispatcher Local File Inclusion Vulnerability
Affected Software:  Confirmed on CakePHP v2.3.7, v2.2.8
                    (prior versions may also be affected)
Credit:             Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
Issue Status:       v2.3.8 & 2.2.9 was released which fixes this vulnerability

Overview:
  CakePHP is an open-source web application framework for PHP.
  CakePHP (v2.3.7, 2.2.8 and possibly prior versions) is vulnerable to
  LFI (Local File Inclusion) attack. Remote attacker can abuse this
  vulnerability to steal files on the server or execute PHP commands,
  if the target application has one or more themes or plugins. It is
  caused by insufficient input validation in AssetDispatcher class.

Details:
  CakePHP's AssetDispatcher class serves asset resources (such as image
  files) stored under individual theme or plugin directory. This class
  determines requested resource's path based on PATH_INFO of request URI.

  To prevent attacks, this class validates PATH_INFO and stops loading
  requested resource if PATH_INFO contains ".." sequence. But after the
  validation step, PATH_INFO will be urldecoded in _getAssetFile(). This
  allows attackers to bypass ".." check by urlencoded dot chars (%2e).

  I present two examples of attack URI. In both examples, Cake serves the
  content of /etc/passwd in HTTP response body.

  UR1: http://victim-host/cakephp-2.3.7/theme/Test1/%2e.//%2e.//%2e.//%2e.
    //%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e./etc/passwd

  Successful attack requires one or more themes on the target server.
  In the example above, the target application must have "Test1" theme.
  This restriction is due to file_exists() check in beforeDispatch().

  URL2: http://victim-host/cakephp-2.3.7/DebugKit/%2e.//%2e.//%2e.//%2e.//
    %2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e./etc/passwd

  Second example is almost same as first one. The difference is that
  second one requires one or more Cake plugins with webroot directory.
  The plugins must be actually enabled on the target server.

  The requested resource is served via include statement, so that PHP
  code execution by LFI is possible if the target Cake application
  allows uploading files such as image, text and so on.

Timeline:
  2013/07/16  Reported to CakePHP Security ML
  2013/07/18  Vender announced v2.3.8 & 2.2.9
  2013/08/13  Disclosure of this advisory

Recommendation:
  Upgrade to the latest version.

Reference:
  http://bakery.cakephp.org/articles/markstory/2013/07/18/cakephp_2_3_8_2_2_9_released

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ