Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Jupiter Cms Multiple Vulnerabilities

from [admin] Network Security [Permanent Link]
Subject: Jupiter Cms Multiple Vulnerabilities
Date: Mon, 24 Dec 2007 15:25:18 +0330

########################## WwW.BugReport.ir ###########################################
#
# AmnPardaz Security Research & Penetration Testing Group
#
# Title: Jupiter Cms Multiple Vulnerabilities
# Vendor: http://www.jupiterportal.com
# Bugs: Local File Inclusion, Privileges Escalation
# Vulnerable Version: 1.1.5ex (prior versions also may be affected)
# Exploitation: Remote with browser
# Exploit: Available
# Fix Available: No!
###################################################################################


####################
- Description:
####################

Quote from vendor: "Jupiter is one of the most lightweight portal systems available and it`s open source".

####################
- Vulnerability:
####################

Improper use of extract() result in multiple vulnerability Such as LFI & PE

+-->Local File Inclusion (Remote Code Execution)

Code Snippet:

/index.php line#609-615

if(isset($n))
{
        if(file_exists("$n.php"))
        {
                if(strpos($n, "../") !== false) header("location: 
$PHP_SELF?i=error");
                else include("$n.php");
        }

It's possible for an attacker to set $n variable! although we have a backward directory traversal check but because of index.php exists in the main directory of application
Attacker can upload php codes with image/gif type and include it from images/avatars directory!

POC: http://localhost/jupiter/index.php?n=images/avatars/aa.gif%00

+-->Privileges Escalation

There is a logical weakness in $db->updateRow() which could result in privileges escalation in conjunction with extract() weakness in profile update process.

Code Snippet:

/include/functions_db.php line#158-174

function updateRow($table,$array,$condition)
        {
                if(count($array)==0) return;
                $q="UPDATE $table SET ";
                foreach($array as $index=>$value)
                {
                        if($value==NULL)
                                $q.="`$index`=NULL, ";
                        else
                        {
                                $value=mysql_escape_string($value);
                                $q.="`$index`='$value', ";
                        }
                }
                $q=substr($q,0,-2)." WHERE $condition LIMIT 1";
                $this->query($q);
        }

/modules/panel.php line#328-344

                $tmp['email'] = $editemail;
                $tmp['url'] = $editurl;
                $tmp['flag'] = $editflag;
                $tmp['location'] = $editlocation;
                $tmp['age'] = $editage;
                $tmp['hideemail'] = $edithideemail;
                $tmp['calendarbday'] = $editcalendarbday;
                $tmp['msn'] = $editmsn;
                $tmp['yahoo'] = $edityahoo;
                $tmp['icq'] = $editicq;
                $tmp['aim'] = $editaim;
                $tmp['skype'] = $editskype;
                $tmp['signature'] = $editsignature;
                $tmp['aboutme']= $editaboutme;
                $tmp['templates']= $edittemplate;

                $db->updateRow("users",$tmp,"id={$user['id']}");

$tmp[authorization] which handles users access level can be set at this point with $_GET ,$_POST or $_COOCKIE because of improper use of extract();

####################
- PoC :
####################
http://www.bugreport.ir/?/23/exploit
Original Advisory: http://www.bugreport.ir/?/23

####################
- Credit :
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com


[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Jupiter Cms Multiple Vulnerabilities, admin <=
Previous by Date:  [waraxe-2007-SA#060] - Sensitive info disclosure in CuteNews <= 1.4.5, come2waraxe
Next by Date:  PHP <= 5.2.5 Safe Mode Bypass, admin
Previous by Thread:  [waraxe-2007-SA#060] - Sensitive info disclosure in CuteNews <= 1.4.5, come2waraxe
Next by Thread:  PHP <= 5.2.5 Safe Mode Bypass, admin
Indexes:  [Date] [Thread] [Top] [All Lists]