Jupiter Cms Multiple Vulnerabilities

看板Bugtraq作者admin.時間18年前 (2007/12/25 00:17)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

########################## WwW.BugReport.ir =20 ########################################### # # AmnPardaz Security Research & Penetration Testing Group # # Title: Jupiter Cms Multiple Vulnerabilities # Vendor: http://www.jupiterportal.com # Bugs: Local File Inclusion, Privileges Escalation # Vulnerable Version: 1.1.5ex (prior versions also may be affected) # Exploitation: Remote with browser # Exploit: Available # Fix Available: No! ############################################################################= ####### #################### - Description: #################### Quote from vendor: "Jupiter is one of the most lightweight portal =20 systems available and it`s open source". #################### - Vulnerability: #################### Improper use of extract() result in multiple vulnerability Such as LFI & PE +-->Local File Inclusion (Remote Code Execution) Code Snippet: /index.php line#609-615 if(isset($n)) { =09if(file_exists("$n.php")) =09{ =09=09if(strpos($n, "../") !=3D=3D false) header("location: $PHP_SELF?i=3Der= ror"); =09=09else include("$n.php"); =09} It's possible for an attacker to set $n variable! although we have a =20 backward directory traversal check but because of index.php exists in =20 the main directory of application Attacker can upload php codes with image/gif type and include it from =20 images/avatars directory! POC: http://localhost/jupiter/index.php?n=3Dimages/avatars/aa.gif%00 +-->Privileges Escalation There is a logical weakness in $db->updateRow() which could result in =20 privileges escalation in conjunction with extract() weakness in =20 profile update process. Code Snippet: /include/functions_db.php line#158-174 function updateRow($table,$array,$condition) =09{ =09=09if(count($array)=3D=3D0) return; =09=09$q=3D"UPDATE $table SET "; =09=09foreach($array as $index=3D>$value) =09=09{ =09=09=09if($value=3D=3DNULL) =09=09=09=09$q.=3D"`$index`=3DNULL, "; =09=09=09else =09=09=09{ =09=09=09=09$value=3Dmysql_escape_string($value); =09=09=09=09$q.=3D"`$index`=3D'$value', "; =09=09=09} =09=09} =09=09$q=3Dsubstr($q,0,-2)." WHERE $condition LIMIT 1"; =09=09$this->query($q); =09} /modules/panel.php line#328-344 =09=09$tmp['email'] =3D $editemail; =09=09$tmp['url'] =3D $editurl; =09=09$tmp['flag'] =3D $editflag; =09=09$tmp['location'] =3D $editlocation; =09=09$tmp['age'] =3D $editage; =09=09$tmp['hideemail'] =3D $edithideemail; =09=09$tmp['calendarbday'] =3D $editcalendarbday; =09=09$tmp['msn'] =3D $editmsn; =09=09$tmp['yahoo'] =3D $edityahoo; =09=09$tmp['icq'] =3D $editicq; =09=09$tmp['aim'] =3D $editaim; =09=09$tmp['skype'] =3D $editskype; =09=09$tmp['signature'] =3D $editsignature; =09=09$tmp['aboutme']=3D $editaboutme; =09=09$tmp['templates']=3D $edittemplate; =09=09$db->updateRow("users",$tmp,"id=3D{$user['id']}"); $tmp[authorization] which handles users access level can be set at =20 this point with $_GET ,$_POST or $_COOCKIE because of improper use of =20 extract(); #################### - PoC : #################### http://www.bugreport.ir/?/23/exploit Original Advisory: http://www.bugreport.ir/?/23 #################### - Credit : #################### AmnPardaz Security Research & Penetration Testing Group Contact: admin[4t}bugreport{d0t]ir WwW.BugReport.ir WwW.AmnPardaz.com

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 admin. 的文章

文章代碼(AID): #17Rzj-00 (Bugtraq)