SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   phpMyFAQ Vendors:   phpMyFAQ Team
phpMyFAQ Input Validation Holes Let Remote Users View and Execute Files on the Target System
SecurityTracker Alert ID:  1010190
SecurityTracker URL:  http://securitytracker.com/id/1010190
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 18 2004
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.3.12 and prior (stable version); 1.4.0-alpha1 and prior (dev)
Description:   An include file vulnerability was reported in phpMyFAQ. A remote user can view arbitrary files on the target system. A remote user can execute PHP files that reside on the target system.

Stefan Esser of e-matters reported that 'index.php' does not properly validate user-supplied input.

A remote user can supply a specially crafted value for the $action variable that includes a NULL character ('\0') and a relative path to view arbitrary files with the privileges of the target web server. If the remote user can inject PHP code into a known file on the system (via a log file, for example), then the remote user may be able to view the file to execute the arbitrary PHP code. The stable version is reported to be affected.

It is also reported that the unstable version does not properly validate the $lang variable, which can be exploited in a similar fashion.

The vendor was reportedly notified on May 16, 2004.

The original advisory is available at:

http://security.e-matters.de/advisories/052004.html

Impact:   A remote user can view files on the target system with the privileges of the target web server.

A remote user can execute PHP files that reside on the target system.

Solution:   The vendor has released fixed versions (1.3.13 stable; 1.4.0 alpha2 unstable), available at:

http://www.phpmyfaq.de/download.php

Vendor URL:  www.phpmyfaq.de/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Advisory 05/2004: phpMyFAQ local file inclusion vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                           e-matters GmbH
                          www.e-matters.de

                      -= Security  Advisory =-



     Advisory: phpMyFAQ local file inclusion vulnerability
 Release Date: 2004/05/18
Last Modified: 2004/05/18
       Author: Stefan Esser [s.esser@e-matters.de]

  Application: phpMyFAQ stable release <= 1.3.12
               phpMyFAQ developer release <= 1.4.0-alpha1
     Severity: A vulnerability within phpMyFAQ allows inclusion of
               arbitrary local files
         Risk: Medium
Vendor Status: Vendor has released a bugfixed version.
    Reference: http://security.e-matters.de/advisories/052004.html


Overview:

   Quote from: http://www.phpmyfaq.de
   
   "phpMyFAQ is a multilingual, completely database-driven FAQ-system. For 
   the time being a MySQL database (support for other databases is under 
   development) is used to store all data, PHP 4.1.0 (or higher) is needed 
   in order to access this data. phpMyFAQ also offers a Content Management-
   System, flexible multi-user support, a news-system, user-tracking, 
   language modules, templates, extensive XML-support, PDF-support, a 
   backup-system and an easy to use installation script."
   
   Within phpMyFAQ an input validation problem exists which allows an
   attacker to include arbitrary local files. With known tricks to inject
   PHP code into log or session files this could lead to remote PHP code
   execution.
   
   
Details:
   
   While doing a fast audit of phpMyFAQ 1.3.12 and phpMyFAQ 1.4.0-alpha1 
   in both versions two different input validation problems were discovered.
   Affected is in both cases index.php but in different places.
   
   phpMyFAQ 1.3.12 constructs a template filename with userinput from the
   $action variable. It prefixes some directory name and adds an extension.
   This means it is not possible to include arbitrary remote files, but it
   is possible to use relative paths combines with '\0' string cut attacks
   to view any file on the system which is accessible and under some
   circumstances this could result in arbitrary PHP code execution if the
   attacker is able to inject PHP code into known files.
   
   phpMyFAQ 1.4.0-alpha1 fails to validate that a supplied language code
   is valid. When construction a language include filename the user supplied
   $lang variable is used without sanity checks. Similar to the previous
   issue this allows to view any file on the system. Exploiting this flaw
   is possible because realpath supports paths like "dir/file.ext/../../.."


Proof of Concept:

   e-matters is not going to release an exploit for this vulnerability to
   the public.
   

Disclosure Timeline:

   16. May 2004 - Vendor was notified via email.
   18. May 2003 - Vendor has released new versions fixing this problem.

   
Recommendation:

   To protect your server against similar problems with include and require
   statements and remote files or '\0' cut attacks I recommened you have a
   look at http://www.hardened-php.net which catches remote file includes
   and '\0' attacks before they could cause damage.
   
   
GPG-Key:

   Please notice that e-matters advisories will be signed from now
   with this NEW key

   http://security.e-matters.de/gpg_key.asc
    
   pub  1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam 
   Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA  A71A 6F7D 572D 3004 C4BC


Copyright 2004 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFAqd/zb31XLTAExLwRAriHAKDSlRBk3ZUwPOjbtXx9l8CFy9pBrACfR4Rw
QFJt/SM5/FPT67SjuPpo5B4=
=U1Iv
-----END PGP SIGNATURE-----


-- 

--------------------------------------------------------------------------
 Stefan Esser                                        s.esser@e-matters.de
 e-matters Security                         http://security.e-matters.de/

 GPG-Key                gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 
 Key fingerprint       B418 B290 ACC0 C8E5 8292  8B72 D6B0 7704 CF6C AE69
--------------------------------------------------------------------------
 Did I help you? Consider a gift:            http://wishlist.suspekt.org/
--------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC