PDA

Bekijk Volledige Versie : Mambo Site Server Remote Code Execution



Mindwarper
21/01/03, 06:56
Mambo PHP-Portal Vulnerability ( By Mindwarper :: logger@hehe.com :: )

<------- ------->

----------------------
Vendor Information:
----------------------

Homepage : http://www.mamboserver.com
Vendor : informed
Mailed advisory: 09/01/03
Vender Response : None yet


----------------------
Affected Versions:
----------------------

4.0.12 BETA and Prior


----------------------
Description:
----------------------

Mambo Site Server is a website portal tool written in php. A couple of
vulnerabilies have been
discovered including XSS and Remote Code Execution on the server with
server permissions.
A couple of includes and upload codes do not check for admin access or any
type of restriction
and allow attackers to run arbitrary code without permission.

----------------------
Vulnerability:
----------------------

1. XSS exist in the following files and possibly in a couple more.

administrator/popups/sectionswindow.php
(type=web&link="<script>alert(document.cookie)</script>

administrator/gallery/gallery.php
(directory="<script>alert(document.cookie)</script>)

administrator/gallery/navigation.php
(directory="<script>alert(document.cookie)</script>)

administrator/gallery/uploadimage.php
(directory="<script>alert(document.cookie)</script>)

administrator/gallery/view.php
(path="<script>alert(document.cookie)</script>)

administrator/upload.php
(newbanner=1&choice="<script>alert(document.cookie)</script>)

themes/mambosimple.php
(detection=detected&sitename=</title><script>alert(document.cookie)</script>
)

upload.php (type="<script>alert(document.cookie)</script>)

emailfriend/emailarticle.php (id="<script>alert(document.cookie)</script>)

emailfriend/emailfaq.php (id="<script>alert(document.cookie)</script>)

emailfriend/emailnews.php (id="<script>alert(document.cookie)</script>)



2. Remote Arbitrary Code Execution is found in the gallery image uploader
under administrator directory.

administrator/gallery/uploadimage.php

(these are also exploitable: upload.php and administrator/upload.php)

Apperantly, this file allows any remote and local users to upload 'images'
to the server
without checking for any permissions. By tricking the badly written file
extension security
check, an attacker can upload any type of arbitrary files to the server.


----------------------
Exploit:
----------------------

The following code can be found inside uploadimage.php file.


************************************************** ********************


....

if (isset($fileupload)){
if ($directory!="uploadfiles"){
$base_Dir = "../../images/stories/";
}else{
$base_Dir = "../../uploadfiles/$Itemid/";
}

$filename = split("\.", $userfile_name);
if (eregi("[^0-9a-zA-Z_]", $filename[0])){
print "<SCRIPT> alert('File must only contain alphanumeric characters and
no spaces please.'); window.history.go(-1);</SCRIPT>\n";
exit();
}

if (file_exists($base_Dir.$userfile_name)){
print "<SCRIPT> alert('Image $userfile_name already exists.');
window.history.go(-1);</SCRIPT>\n";
exit();
}

if ((!eregi(".gif", $userfile_name)) && (!eregi(".png", $userfile_name))
&& (!eregi(".jpg", $userfile_name)) && (!eregi(".doc", $userfile_name))&&
(!eregi(".xls", $userfile_name))&& (!eregi(".swf", $userfile_name)) &&
(!eregi(".pdf", $userfile_name))){
print "<SCRIPT>alert('The file must be pdf, gif, png, jpg, doc, xls or
swf'); window.history.go(-1);</SCRIPT>\n";
exit();
}

if ((eregi(".pdf", $userfile_name)) || (eregi(".doc", $userfile_name)) ||
(eregi(".xls", $userfile_name))){
if (!copy($userfile, $pdf_path.$userfile_name)){
echo "Failed to copy $userfile_name";
}
}
elseif (!copy($userfile, $base_Dir.$userfile_name)){
echo "Failed to copy $userfile_name";
}

if (eregi(".jpg", $userfile_name)){
print
"<SCRIPT>top.window.images.document.location.href=\"index.php?gal=0&image=jp
g&directory=$directory&Itemid=$Itemid\"</SCRIPT>\n";
}
elseif (eregi(".pdf", $userfile_name)){
print
"<SCRIPT>top.window.images.document.location.href='pdf.php'</SCRIPT>\n";
}
if (eregi(".png", $userfile_name)){
print
"<SCRIPT>top.window.images.document.location.href=\"index.php?gal=0&image=pn
g&directory=$directory&Itemid=$Itemid\"</SCRIPT>\n";
}
else {
print
"<SCRIPT>top.window.images.document.location.href=\"index.php?gal=0&image=gi
f&directory=$directory&Itemid=$Itemid\"</SCRIPT>\n";
}
}

....


************************************************** ********************


First of all

---=---
if (isset($fileupload)){
if ($directory!="uploadfiles"){
$base_Dir = "../../images/stories/";
}else{
$base_Dir = "../../uploadfiles/$Itemid/";
}
---=---

Just sets the directory in which the files will be uploaded to.
We can leave both $directory and $fileupload emtpy.

Now lets examine the 'security check' that is included in this code:

---=---
if ((!eregi(".gif", $userfile_name)) && (!eregi(".png", $userfile_name)) &&
(!eregi(".jpg", $userfile_name)) && (!eregi(".doc", $userfile_name))&&
(!eregi(".xls", $userfile_name))&& (!eregi(".swf", $userfile_name)) &&
(!eregi(".pdf", $userfile_name))){
---=---

As you can or cannot see, the function eregi() only checks if the '.ext'
are located inside the string $userfile_name, but
does not check if they end with that extention.
The attacker can just rename his file to r00t.jpg.php and upload without
any warnings.

After uploading the arbitrary file successfully, the attacker just needs to
activate his code by
calling /images/stories/r00t.jpg.php and he's got remote access to the
server with server permissions.


----------------------
Solution:
----------------------

Please check the vendor's website for new patches.

Meanwhile you should remove the following files from your server:

upload.php
administrator/upload.php
administrator/gallery/uploadimage.php

----------------------
Greetz:
----------------------

Cyon, daemorhedron, Tt, Truckle, ps.

<------- ------->


_____________________________________________
Free email with personality! Over 200 domains!
http://www.MyOwnEmail.com
Looking for friendships,romance and more?
http://www.MyOwnFriends.com