This is a cryptographically signed message in MIME format.
--------------ms000301000404000405040907
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
CSS09-01: SlideShowPro Director File Disclosure Vulnerability
August 5, 2009
*SUMMARY*
SlideShowPro Director is vulnerable to a file disclosure flaw because it
fails to perform proper validation and handling of input parameters.
Attackers can exploit this vulnerability to read arbitrary files from
the hosting web server.
AFFECTED SOFTWARE
SlideShowPro Director version 1.1 through 1.3.8.
SEVERITY RATING
Rating: High Risk
Impact: Unauthorized access to system files
Where: Remote
SOFTWARE DESCRIPTION
SlideShowPro Director is a complement to SlideShowPro, =E2=80=9Ca web-based
component designed to be integrated into any web site =E2=80=A6 for displaying
photos and videos.=E2=80=9D Director is =E2=80=9Ca secure, easy to use application you
install on your own web server...for managing and updating your
slideshow content=E2=80=A6=E2=80=9D
(http://slideshowpro.net/products/slideshowpro_director/slideshowpro_director)
SOLUTION
The vendor has released version 1.3.9 to address this issue. Refer to
http://wiki.slideshowpro.net/SSPdir/UP-HowToUpgrade for upgrade
instructions.
REFERENCES:
CVE number not yet assigned.
A copy of this bulletin is located at:
http://www.clearskies.net/documents/css-advisory-css09001-sspdirector.pdf
TECHNICAL DETAILS
The =E2=80=9Cp.php=E2=80=9D file contains logic that is vulnerable to directory
traversal attacks. The =E2=80=9Ca=E2=80=9D parameter to this function includes a file
name parameter that can be changed to any value, including one
containing relative directory paths. The resulting file will be
retrieved and displayed.
The application incorporates scrambling/obfuscation techniques to mask
the vulnerable parameter that is supplied to the application. A
moderately skilled attacker can reverse the obfuscation without any
access to the affected server or source code.
IDENTIFYING VULNERABLE INSTALLATIONS
Vulnerable installations can be identified by the XML data file
generated by SlideShowPro Director and used by the SlideShowPro
component and will have base64-encoded =E2=80=9Ca=E2=80=9D parameters to the =E2=80=9Cp.php=E2=80=9D
function:
lgPath="http://masked/ssp_director/p.php?a=""http://masked/ssp_director/p.php?a=""http://masked/ssp_director/p.php?a=XF9VXiEyPSoqQFtFPzU2JzM6Iys%2BPiYyKzM5LTM%2BMiU%2BJzE%3D&m=1247688172">
tn= tnPath
DETECTING EXPLOITATION
The affected parameter is only accepted as a =E2=80=9CGET=E2=80=9D variable. The web
server should therefore log any exploitation attempts if basic logging
of the query string is enabled. Identifying actual exploitation is
hindered, since the attacking parameter is scrambled, but the logic to
reverse this data can be extracted the application code and settings if
necessary. Web server error logs may also contain suspicious PHP file
access warnings if a file requested by an attacker is not present.
PROOF OF CONCEPT
A proof-of-concept tool to exploit this vulnerability that accommodates
the parameter scrambling for any site has been created but not
published. Note that even sites that have defined a custom =E2=80=9Ckey=E2=80=9D or
=E2=80=9Csalt=E2=80=9D for the scrambling routines are vulnerable.
IMPACT
This issue exposes the confidentiality of any files residing on the same
drive as the component including configuration files with system access
credentials, the source code to application pages, and possibly customer
data files.
THREAT EVALUATION
The issue can be exploited by anyone from the Internet. The ability to
identify/crack the scrambling key would require a moderately skilled
individual, although once the algorithm is published, exploiting the
issue is trivial. This vulnerability can be easily scripted and
automated, placing it within reach of any individual. An attacker must
know the name of desired files.
CREDITS
Scott Miles of Clear Skies Security identified this flaw.
Clear Skies would like to thank the vendor for their openness and
responsiveness in dealing with this issue.
TIME TABLE
2009-07-20: Vendor notified; confirmed vulnerability.
2009-07-22: Vendor provides patch.
2009-08-06: Public disclosure.
--
Scott Miles
Principal Consultant
Clear Skies Security
--------------ms000301000404000405040907
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIRSTCC
BN0wggPFoAMCAQICEHGS++YZX6xNEoV0cTSiGKcwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UE
BhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEa
MBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMMGEFBQSBDZXJ0aWZpY2F0ZSBT
ZXJ2aWNlczAeFw0wNDAxMDEwMDAwMDBaFw0yODEyMzEyMzU5NTlaMIGuMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUg
VVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2
MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWls
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsjmFpPJ9q0E7YkY3rs3BYHW8OWX5
ShpHornMSMxqmNVNNRm5pELlzkniii8efNIxB8dOtINknS4p1aJkxIW9hVE1eaROaJB7HHqk
kqgX8pgV8pPMyaQylbsMTzC9mKALi+VuG6JG+ni8om+rWV6lL8/K2m2qL+usobNqqrcuZzWL
eeEeaYji5kbNoKXqvgvOdjp6Dpvq/NonWz1zHyLmSGHGTPNpsaguG7bUMSAsvIKKjqQOpdeJ
Q/wWWq8dcdcRWdq6hw2v+vPhwvCkxWeM1tZUOt4KpLoDd7NlyP0e03RiqhjKaJMeoYV+9Udl
y/hNVyh00jT/MLbu9mIwFIws6wIDAQABo4IBJzCCASMwHwYDVR0jBBgwFoAUoBEKIz6W8Qfs
4q8p74Klf9AwpLQwHQYDVR0OBBYEFImCZ33EnSZwAEu0UEh83j2uBG59MA4GA1UdDwEB/wQE
AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAR
BgNVHSAECjAIMAYGBFUdIAAwewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9j
YS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDARBglghkgBhvhCAQEEBAMCAQYw
DQYJKoZIhvcNAQEFBQADggEBAJ2Vyzy4fqUJxB6/C8LHdo45PJTGEKpPDMngq4RdiVTgZTvz
bRx8NywlVF+WIfw3hJGdFdwUT4HPVB1rbEVgxy35l1FM+WbKPKCCjKbI8OLp1Er57D9Wyd12
jMOCAU9sAPMeGmF0BEcDqcZAV5G8ZSLFJ2dPV9tkWtmNH7qGL/QGrpxp7en0zykX2OBKnxog
L5dMUbtGB8SKN04g4wkxaMeexIud6H4RvDJoEJYRmETYKlFgTYjrdDrfQwYyyDlWjDoRUtNB
pEMD9O3vMyfbOeAUTibJ2PU54om4k123KSZB6rObroP8d3XK6Mq1/uJlSmM+RMTQw16Hc6mY
HK9/FX8wggYwMIIFGKADAgECAhEA8ACzmiS1DTZ3gv87vkcZmzANBgkqhkiG9w0BAQUFADCB
rjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEe
MBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8vd3d3LnVz
ZXJ0cnVzdC5jb20xNjA0BgNVBAMTLVVUTi1VU0VSRmlyc3QtQ2xpZW50IEF1dGhlbnRpY2F0
aW9uIGFuZCBFbWFpbDAeFw0wOTAzMTMwMDAwMDBaFw0xMDAzMTMyMzU5NTlaMIHcMTUwMwYD
VQQLEyxDb21vZG8gVHJ1c3QgTmV0d29yayAtIFBFUlNPTkEgTk9UIFZBTElEQVRFRDFGMEQG
A1UECxM9VGVybXMgYW5kIENvbmRpdGlvbnMgb2YgdXNlOiBodHRwOi8vd3d3LmNvbW9kby5u
ZXQvcmVwb3NpdG9yeTEfMB0GA1UECxMWKGMpMjAwMyBDb21vZG8gTGltaXRlZDEUMBIGA1UE
AxMLU2NvdHQgTWlsZXMxJDAiBgkqhkiG9w0BCQEWFXNtaWxlc0BjbGVhcnNraWVzLm5ldDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMHSP/Z6TeR42M4GEblNJrN6+t42ln0I
sXBqDXwUL/0Q3ya5pH3Doxgx82YpxIXoXBW9RWaFH7QAT8NOsSfnLaRPyPbn8Ds2jkcLFcaE
DBiFNMbOD+WEX9R/0KSv2iQOI23HhBshRwkEI9NAUjyCDEpMSqoW5RRINUakPQF9tgXcMyqh
G/4pb/+2VyCuUAPz+iZlqCNp2GFDgJ6pNS1MlZlmrvzcI7UuUMkv5GrebTB/4VIXK1dQM4dP
KXK8V+cGvAfdIJrgh4V0Gipd4q3KA5mfgPdle9I1nPNKGXzjE1PqZ+TspeAHVe5WiSTHbwIx
2dsAqShhhpMmBhnA0V/njNkCAwEAAaOCAhcwggITMB8GA1UdIwQYMBaAFImCZ33EnSZwAEu0
UEh83j2uBG59MB0GA1UdDgQWBBSEXRuNIUVZFMnEbBq91W8AAUeVjDAOBgNVHQ8BAf8EBAMC
BaAwDAYDVR0TAQH/BAIwADAgBgNVHSUEGTAXBggrBgEFBQcDBAYLKwYBBAGyMQEDBQIwEQYJ
YIZIAYb4QgEBBAQDAgUgMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQEBMCswKQYIKwYBBQUH
AgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMIGlBgNVHR8EgZ0wgZowTKBKoEiG
Rmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL1VUTi1VU0VSRmlyc3QtQ2xpZW50QXV0aGVudGlj
YXRpb25hbmRFbWFpbC5jcmwwSqBIoEaGRGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9VVE4tVVNF
UkZpcnN0LUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kRW1haWwuY3JsMGwGCCsGAQUFBwEBBGAw
XjA2BggrBgEFBQcwAoYqaHR0cDovL2NydC5jb21vZG9jYS5jb20vVVROQUFBQ2xpZW50Q0Eu
Y3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wIAYDVR0RBBkwF4EV
c21pbGVzQGNsZWFyc2tpZXMubmV0MA0GCSqGSIb3DQEBBQUAA4IBAQCOd0SQb1kbUEo0QpvX
4keNvXdZVn+4uIyUgxzUtTOYYZ3+FQxrFt0DNhlqcSIRoz31AdPATl1MSbp2Bohm6bQKnuhA
EJWjRaW9jcWSQ85zPCtrd+umqbE+zc01O590S4b7YfpiB1wV7NJ5wT4Z3UP/NMyAPpV8yyYN
nzMuS0N+ejjVDu+ddN8cyMKvzfERCLoBtF7ukVQ4tnKo8/ViTfzpxZetKmPqMZj/yCz1NzbQ
XBjyYBEtBV8pfpPHafGBmeQHZc9ejKk9eE2PNhsA9YQep2p0h6A+pvipjaq1OvGINrXihKhB
E4GYlSqcA5w5k+IcbLqXHB0hTmcCEA3CavGmMIIGMDCCBRigAwIBAgIRAPAAs5oktQ02d4L/
O75HGZswDQYJKoZIhvcNAQEFBQAwga4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUG
A1UEBxMOU2FsdCBMYWtlIENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEh
MB8GA1UECxMYaHR0cDovL3d3dy51c2VydHJ1c3QuY29tMTYwNAYDVQQDEy1VVE4tVVNFUkZp
cnN0LUNsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgRW1haWwwHhcNMDkwMzEzMDAwMDAwWhcN
MTAwMzEzMjM1OTU5WjCB3DE1MDMGA1UECxMsQ29tb2RvIFRydXN0IE5ldHdvcmsgLSBQRVJT
T05BIE5PVCBWQUxJREFURUQxRjBEBgNVBAsTPVRlcm1zIGFuZCBDb25kaXRpb25zIG9mIHVz
ZTogaHR0cDovL3d3dy5jb21vZG8ubmV0L3JlcG9zaXRvcnkxHzAdBgNVBAsTFihjKTIwMDMg
Q29tb2RvIExpbWl0ZWQxFDASBgNVBAMTC1Njb3R0IE1pbGVzMSQwIgYJKoZIhvcNAQkBFhVz
bWlsZXNAY2xlYXJza2llcy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB
0j/2ek3keNjOBhG5TSazevreNpZ9CLFwag18FC/9EN8muaR9w6MYMfNmKcSF6FwVvUVmhR+0
AE/DTrEn5y2kT8j25/A7No5HCxXGhAwYhTTGzg/lhF/Uf9Ckr9okDiNtx4QbIUcJBCPTQFI8
ggxKTEqqFuUUSDVGpD0BfbYF3DMqoRv+KW//tlcgrlAD8/omZagjadhhQ4CeqTUtTJWZZq78
3CO1LlDJL+Rq3m0wf+FSFytXUDOHTylyvFfnBrwH3SCa4IeFdBoqXeKtygOZn4D3ZXvSNZzz
Shl84xNT6mfk7KXgB1XuVokkx28CMdnbAKkoYYaTJgYZwNFf54zZAgMBAAGjggIXMIICEzAf
BgNVHSMEGDAWgBSJgmd9xJ0mcABLtFBIfN49rgRufTAdBgNVHQ4EFgQUhF0bjSFFWRTJxGwa
vdVvAAFHlYwwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0lBBkwFwYIKwYB
BQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9MDsGDCsG
AQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQ
UzCBpQYDVR0fBIGdMIGaMEygSqBIhkZodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9VVE4tVVNF
UkZpcnN0LUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kRW1haWwuY3JsMEqgSKBGhkRodHRwOi8v
Y3JsLmNvbW9kby5uZXQvVVROLVVTRVJGaXJzdC1DbGllbnRBdXRoZW50aWNhdGlvbmFuZEVt
YWlsLmNybDBsBggrBgEFBQcBAQRgMF4wNgYIKwYBBQUHMAKGKmh0dHA6Ly9jcnQuY29tb2Rv
Y2EuY29tL1VUTkFBQUNsaWVudENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29t
b2RvY2EuY29tMCAGA1UdEQQZMBeBFXNtaWxlc0BjbGVhcnNraWVzLm5ldDANBgkqhkiG9w0B
AQUFAAOCAQEAjndEkG9ZG1BKNEKb1+JHjb13WVZ/uLiMlIMc1LUzmGGd/hUMaxbdAzYZanEi
EaM99QHTwE5dTEm6dgaIZum0Cp7oQBCVo0WlvY3FkkPOczwra3frpqmxPs3NNTufdEuG+2H6
YgdcFezSecE+Gd1D/zTMgD6VfMsmDZ8zLktDfno41Q7vnXTfHMjCr83xEQi6AbRe7pFUOLZy
qPP1Yk386cWXrSpj6jGY/8gs9Tc20FwY8mARLQVfKX6Tx2nxgZnkB2XPXoypPXhNjzYbAPWE
HqdqdIegPqb4qY2qtTrxiDa14oSoQROBmJUqnAOcOZPiHGy6lxwdIU5nAhANwmrxpjGCBFMw
ggRPAgEBMIHEMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQg
TGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0
dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQg
QXV0aGVudGljYXRpb24gYW5kIEVtYWlsAhEA8ACzmiS1DTZ3gv87vkcZmzAJBgUrDgMCGgUA
oIICYzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wOTA4MDYx
NjIzMTVaMCMGCSqGSIb3DQEJBDEWBBQFFdkTRNX+uxQIw4YbN4jhHJPCTTBSBgkqhkiG9w0B
CQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUr
DgMCBzANBggqhkiG9w0DAgIBKDCB1QYJKwYBBAGCNxAEMYHHMIHEMIGuMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUg
VVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2
MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWls
AhEA8ACzmiS1DTZ3gv87vkcZmzCB1wYLKoZIhvcNAQkQAgsxgceggcQwga4xCzAJBgNVBAYT
AlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxHjAcBgNVBAoTFVRo
ZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0cDovL3d3dy51c2VydHJ1c3QuY29t
MTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgRW1h
aWwCEQDwALOaJLUNNneC/zu+RxmbMA0GCSqGSIb3DQEBAQUABIIBAGKLZqO9hhB4EgL0hC9P
400Tl8ygz9SdMH3IXnb1ie4hw/NgIKJGj7JCEu9xLcB4qMo0797XzwMsWcvjqrbKAo64+/m2
OC8RugVjEk03p5ISHaAPpwIuHgjwDSREo9tSj45sqMZdhsrVeal/l4tKh/xaKKtSzSc4SdTu
fyDvypOYakw9uQhhBasKi0ItFAlhquo4KszXptV4SVMvnnXW9ppoCcLFmwiDnB9HXM/2y3id
huLsjN3n6hp/D8NH3P4Vhu91SRV2tr6TH5GPURRa3FjNwmJ1fBdPPueAp86bDRiHAC4GVhnK
6HGhlVhRiDz8PIi09llGjrXt/ZVgcray07kAAAAAAAA--------------ms000301000404000405040907--