12th Jan 2003 [SBWID-5925]
COMMAND
Mambo Site Server Remote Code Execution
SYSTEMS AFFECTED
Mambo 4.0.12 BETA and Prior
PROBLEM
Mindwarper [mindwarper@hush.com] found :
Mambo Site Server is a website portal tool written in php. A couple of
vulnerabilies have been discovered including XSS and Remote Code
Execution on the server with server permissions. A couple of includes
and upload codes do not check for admin access or any type of
restriction and allow attackers to run arbitrary code without
permission.
- ----------------------
Vulnerability:
- ----------------------
1. XSS exist in the following files and possibly in a couple more.
administrator/popups/sectionswindow.php (type=web&link="<script>alert(document.cookie)</script>
administrator/gallery/gallery.php (directory="<script>alert(document.cookie)</script>)
administrator/gallery/navigation.php (directory="<script>alert(document.cookie)</script>)
administrator/gallery/uploadimage.php (directory="<script>alert(document.cookie)</script>)
administrator/gallery/view.php (path="<script>alert(document.cookie)</script>)
administrator/upload.php (newbanner=1&choice="<script>alert(document.cookie)</script>)
themes/mambosimple.php (detection=detected&sitename=</title><script>alert(document.cookie)</script>)
upload.php (type="<script>alert(document.cookie)</script>)
emailfriend/emailarticle.php (id="<script>alert(document.cookie)</script>)
emailfriend/emailfaq.php (id="<script>alert(document.cookie)</script>)
emailfriend/emailnews.php (id="<script>alert(document.cookie)</script>)
2. Remote Arbitrary Code Execution is found in the gallery image
uploader under administrator directory.
administrator/gallery/uploadimage.php
(these are also exploitable: upload.php and administrator/upload.php)
Apparantly, this file allows any remote and local users to upload
'images' to the server without checking for any permissions. By
tricking the badly written file extension security check, an attacker
can upload any type of arbitrary files to the server.
- ----------------------
Exploit:
- ----------------------
The following code can be found inside uploadimage.php file.
**********************************************************************
..
if (isset($fileupload)){
if ($directory!="uploadfiles"){
$base_Dir = "../../images/stories/";
}else{
$base_Dir = "../../uploadfiles/$Itemid/";
}
$filename = split("\.", $userfile_name);
if (eregi("[^0-9a-zA-Z_]", $filename[0])){
print "<SCRIPT> alert('File must only contain alphanumeric characters and no spaces please.'); window.history.go(-1);</SCRIPT>\n";
exit();
}
if (file_exists($base_Dir.$userfile_name)){
print "<SCRIPT> alert('Image $userfile_name already exists.'); window.history.go(-1);</SCRIPT>\n";
exit();
}
if ((!eregi(".gif", $userfile_name)) && (!eregi(".png", $userfile_name)) && (!eregi(".jpg", $userfile_name)) && (!eregi(".doc", $userfile_name))&& (!eregi(".xls", $userfile_name))&& (!eregi(".swf", $userfile_name)) && (!eregi(".pdf", $userfile_name))){
print "<SCRIPT>alert('The file must be pdf, gif, png, jpg, doc, xls or swf'); window.history.go(-1);</SCRIPT>\n";
exit();
}
if ((eregi(".pdf", $userfile_name)) || (eregi(".doc", $userfile_name)) || (eregi(".xls", $userfile_name))){
if (!copy($userfile, $pdf_path.$userfile_name)){
echo "Failed to copy $userfile_name";
}
}
elseif (!copy($userfile, $base_Dir.$userfile_name)){
echo "Failed to copy $userfile_name";
}
if (eregi(".jpg", $userfile_name)){
print "<SCRIPT>top.window.images.document.location.href=\"index.php?gal=0ℑ=jpg&directory=$directory&Itemid=$Itemid\"</SCRIPT>\n";
}
elseif (eregi(".pdf", $userfile_name)){
print "<SCRIPT>top.window.images.document.location.href='pdf.php'</SCRIPT>\n";
}
if (eregi(".png", $userfile_name)){
print "<SCRIPT>top.window.images.document.location.href=\"index.php?gal=0ℑ=png&directory=$directory&Itemid=$Itemid\"</SCRIPT>\n";
}
else {
print "<SCRIPT>top.window.images.document.location.href=\"index.php?gal=0ℑ=gif&directory=$directory&Itemid=$Itemid\"</SCRIPT>\n";
}
}
..
**********************************************************************
First of all
- ---=---
if (isset($fileupload)){
if ($directory!="uploadfiles"){
$base_Dir = "../../images/stories/";
}else{
$base_Dir = "../../uploadfiles/$Itemid/";
}
- ---=---
Just sets the directory in which the files will be uploaded to. We can
leave both $directory and $fileupload emtpy.
Now lets examine the 'security check' that is included in this code:
- ---=---
if ((!eregi(".gif", $userfile_name)) && (!eregi(".png", $userfile_name)) && (!eregi(".jpg", $userfile_name)) && (!eregi(".doc", $userfile_name))&& (!eregi(".xls", $userfile_name))&& (!eregi(".swf", $userfile_name)) && (!eregi(".pdf", $userfile_name))){
- ---=---
As you can or cannot see, the function eregi() only checks if the
'.ext' are located inside the string $userfile_name, but does not check
if they end with that extention. The attacker can just rename his file
to r00t.jpg.php and upload without any warnings.
After uploading the arbitrary file successfully, the attacker just
needs to activate his code by calling /images/stories/r00t.jpg.php and
he's got remote access to the server with server permissions.
SOLUTION
None yet, check [http://www.mamboserver.com]
Meanwhile you should remove the following files from your server:
upload.php
administrator/upload.php
administrator/gallery/uploadimage.php
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
