[UNIX] Mambo PHP-Portal Vulnerability (XSS and Command Execution)

• Previous message: support@securiteam.com: "[NEWS] BitKeeper Remote Shell Command Execution/Local Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 12 Jan 2003 18:26:21 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  Mambo PHP-Portal Vulnerability (XSS and Command Execution)
------------------------------------------------------------------------

SUMMARY

 <http://www.mamboserver.com/> Mambo Site Server is a website portal tool
written in PHP. A couple of vulnerabilities have been discovered including
XSS and Remote Code Execution on the server with server permissions. A
couple of includes and upload codes do not check for admin access or any
type of restriction and allow attackers to run arbitrary code without
permission.

DETAILS

Vulnerable systems:
 * Mambo PHP Portal version 4.0.12 BETA and prior

Cross Site Scripting:
XSS exist in the following files and possibly in a couple more.
administrator/popups/sectionswindow.php (type=web&link="<
script>alert(document.cookie)</script>
administrator/gallery/gallery.php (directory="<
script>alert(document.cookie)</script>)
administrator/gallery/navigation.php (directory="<
script>alert(document.cookie)</script>)
administrator/gallery/uploadimage.php (directory="<
script>alert(document.cookie)</script>)
administrator/gallery/view.php (path="<
script>alert(document.cookie)</script>)
administrator/upload.php (newbanner=1&choice="<
script>alert(document.cookie)</script>)
themes/mambosimple.php (detection=detected&sitename=</title><
script>alert(document.cookie)</script>)
upload.php (type="< script>alert(document.cookie)</script>)
emailfriend/emailarticle.php (id="<
script>alert(document.cookie)</script>)
emailfriend/emailfaq.php (id="< script>alert(document.cookie)</script>)
emailfriend/emailnews.php (id="< script>alert(document.cookie)</script>)

Remote Arbitrary Code Execution
A remote command execution vulnerability was found in the gallery image
uploading utility under administrator directory.

administrator/gallery/uploadimage.php

(These are also exploitable: upload.php and administrator/upload.php)

Apparently, this file allows any remote and local users to upload 'images'
to the server without checking for any permission settings. By tricking
the badly written file extension security check, an attacker can upload
any type of arbitrary files to the server.

Exploit:
The following code can be found inside uploadimage.php file.
.
if (isset($fileupload)){
if ($directory!="uploadfiles"){
$base_Dir = "../../images/stories/";
}else{
$base_Dir = "../../uploadfiles/$Itemid/";
}

$filename = split("\.", $userfile_name);
if (eregi("[^0-9a-zA-Z_]", $filename[0])){
print "<SCRIPT> alert('File must only contain alphanumeric characters and
no spaces please.'); window.history.go(-1);</SCRIPT>\n";
exit();
}

if (file_exists($base_Dir.$userfile_name)){
print "<SCRIPT> alert('Image $userfile_name already exists.');
window.history.go(-1);</SCRIPT>\n";
exit();
}

if ((!eregi(".gif", $userfile_name)) && (!eregi(".png", $userfile_name))
&& (!eregi(".jpg", $userfile_name)) && (!eregi(".doc", $userfile_name))&&
(!eregi(".xls", $userfile_name))&& (!eregi(".swf", $userfile_name)) &&
(!eregi(".pdf", $userfile_name))){
print "<SCRIPT>alert('The file must be pdf, gif, png, jpg, doc, xls or
swf'); window.history.go(-1);</SCRIPT>\n";
exit();
}

if ((eregi(".pdf", $userfile_name)) || (eregi(".doc", $userfile_name)) ||
(eregi(".xls", $userfile_name))){
if (!copy($userfile, $pdf_path.$userfile_name)){
echo "Failed to copy $userfile_name";
}
}
elseif (!copy($userfile, $base_Dir.$userfile_name)){
echo "Failed to copy $userfile_name";
}

if (eregi(".jpg", $userfile_name)){
print
"<SCRIPT>top.window.images.document.location.href=\"index.php?gal=0&image=jpg&directory=$directory&Itemid=$Itemid\"</SCRIPT>\n";
}
elseif (eregi(".pdf", $userfile_name)){
print
"<SCRIPT>top.window.images.document.location.href='pdf.php'</SCRIPT>\n";
}
if (eregi(".png", $userfile_name)){
print
"<SCRIPT>top.window.images.document.location.href=\"index.php?gal=0&image=png&directory=$directory&Itemid=$Itemid\"</SCRIPT>\n";
}
else {
print
"<SCRIPT>top.window.images.document.location.href=\"index.php?gal=0&image=gif&directory=$directory&Itemid=$Itemid\"</SCRIPT>\n";
}
}

.

First things first:

if (isset($fileupload)){
if ($directory!="uploadfiles"){
$base_Dir = "../../images/stories/";
}else{
$base_Dir = "../../uploadfiles/$Itemid/";
}

Just sets the directory in which the files will be uploaded to. We can
leave both $directory and $fileupload empty.

Now lets examine the 'security check' that is included in this code:
if ((!eregi(".gif", $userfile_name)) && (!eregi(".png", $userfile_name))
&& (!eregi(".jpg", $userfile_name)) && (!eregi(".doc", $userfile_name))&&
(!eregi(".xls", $userfile_name))&& (!eregi(".swf", $userfile_name)) &&
(!eregi(".pdf", $userfile_name))){

As you can or cannot see, the function eregi() only checks if the '.ext'
are located inside the string $userfile_name, but does not check if they
end with that extension. The attacker can just rename his file to
r00t.jpg.php and upload without any warnings.

After uploading the arbitrary file successfully, the attacker just needs
to activate his code by calling /images/stories/r00t.jpg.php and he's got
remote access to the server with server permissions.

Solution:
Please check the vendor's website for new patches.

Meanwhile you should remove the following files from your server:
 * upload.php
 * administrator/upload.php
 * administrator/gallery/uploadimage.php

ADDITIONAL INFORMATION

The information has been provided by <mailto:mindwarper@hush.com>
Mindwarper.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[TOOL] NBTdeputy, NetBIOS Swiss Knife"
• Previous message: support@securiteam.com: "[NEWS] BitKeeper Remote Shell Command Execution/Local Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]