lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 1 Sep 2015 13:40:19 +0200
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] NibbleBlog 4.0.3 - Code Execution - Not fixed

NibbleBlog 4.0.3: Code Execution
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: 	NibbleBlog 4.0.3	
Fixed in: 		not fixed
Fixed Version Link: 	n/a	
Vendor Contact: 	Website: http://www.nibbleblog.com/	
Vulnerability Type: 	Code Execution	
Remote Exploitable: 	Yes	
Reported to vendor: 	07/21/2015	
Disclosed to public: 	09/01/2015	
Release mode: 		Full Disclosure	
CVE: 			n/a	
Credits 		Tim Coen of Curesec GmbH	

2. Vulnerability Description

When uploading image files via the "My image" plugin - which is
delivered with NibbleBlog by default - , NibbleBlog 4.0.3 keeps the
original extension of uploaded files. This extension or the actual file
type are not checked, thus it is possible to upload PHP files and gain
code execution.

Please note that admin credentials are required.

3. Proof of Concept

    Obtain Admin credentials (for example via Phishing via XSS which can
be gained via CSRF, see advisory about CSRF in NibbleBlog 4.0.3)
    Activate My image plugin by visiting
http://localhost/nibbleblog/admin.php?controller=plugins&action=install&plugin=my_image
    Upload PHP shell, ignore warnings
    Visit
http://localhost/nibbleblog/content/private/plugins/my_image/image.php.
This is the default name of images uploaded via the plugin.

4. Code


	        if( $plugin->init_db() )
	        {
		        // upload files
		        foreach($_FILES as $field_name=>$file)
		        {
			        $extension = strtolower(pathinfo($file['name'],
PATHINFO_EXTENSION));
			        $destination = PATH_PLUGINS_DB.$plugin->get_dir_name();
			        $complete = $destination.'/'.$field_name.'.'.$extension;

			        // Upload the new file and move
			        if(move_uploaded_file($file["tmp_name"], $complete))
			        {
				        // Resize images if requested by the plugin
				        if(isset($_POST[$field_name.'_resize']))
				        {
					        $width =
isset($_POST[$field_name.'_width'])?$_POST[$field_name.'_width']:200;
					        $height =
isset($_POST[$field_name.'_height'])?$_POST[$field_name.'_height']:200;
					        $option =
isset($_POST[$field_name.'_option'])?$_POST[$field_name.'_option']:'auto';
					        $quality =
isset($_POST[$field_name.'_quality'])?$_POST[$field_name.'_quality']:100;

					        $Resize->setImage($complete, $width, $height, $option);
					        $Resize->saveImage($complete, $quality, true);
				        }
			        }
		        }

		        unset($_POST['plugin']);

		        // update fields
		        $plugin->set_fields_db($_POST);

		        Session::set_alert($_LANG['CHANGES_HAS_BEEN_SAVED_SUCCESSFULLY']);
	        }
        }

5. Solution

This issue was not fixed by the vendor.

6. Report Timeline

07/21/2015 	Informed Vendor about Issue
07/22/2015 	Vendor Replied
08/18/2015 	Reminded Vendor of release date (no reply)
09/01/2015 	Disclosed to public

7. Blog Reference
http://blog.curesec.com/article/blog/NibbleBlog-403-Code-Execution-47.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists