Page 1 of 1

PHPWCMS - Directory traversal vulnerability,CSS attack

Posted: Tue 15. Nov 2005, 22:22
by sumsum
SEE SECURITY FIX HERE!!!

please check this !

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Author: Stefan Lochbihler
Date: 14. November 2005
Software: PHPWCMS
Version: 1.2.5-DEV
URL: http://www.phpwcms.de
Attack: Directory traversal vulnerability,CSS



about:
phpwcms is an Open Source web content management system.
It is optimized for fast and easy setup and works on any standard webserver platform that supports PHP/MySQL and was tested successfully on Windows 2000/XP, MacOSX and LINUX.
phpwcms is perfect for professional, public and private users.
It is very easy to learn and gives you the flexibility to separate layout and content. Lots of powerful but simple implemented features assists publishers and web developers too.


info:
During an audit of the phpwcms project i find out that it is vulnerable to the following attacks.

[1]

First the login.php script is vulnerable to a directory traversal attack.

Through the following packet it is possible to read sensitive data.
http://www.target.com/phpwcms/login.php?
POST:form_lang=../../../../../../../../etc/passwd%00

[2]

The same bug exist at the random_image.php script located at /img.
Do the condition of the code its not possible to read a well aimed file.

Through the following packet it is possible to read sensitive data.
http://www.target.com/phpwcms/img/random_image.php?
GET:imgdir=../../../etc/

[3]

The act_newsletter.php located at /include/inc_act is vulnerable to a cross site scripting attack. Through this its possible to read sensitive cookie informations.

Through the following packet it is possible to read sensitive data.
http://www.target.com/phpwcms/include/i ... ter.php?i=
V:target@target.com:<script>alert(document.cookie)</script>)

//base64encode


[4]

If register_globals is set to on the same script is vulernable to a cross site scripting attack.

Through the following packet it is possible to read sensitive data.
http://www.target.com/phpwcms/include/i ... letter.php?
text=<script>alert(document.cookie)</script>


Vendor Status: The vendor is informed !


Discovered by Stefan Lochbihler


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDeRZmaZIyFDbShWQRAuQCAKCIkq8RVVe6XCRsZUEGVK9l/1lWNwCePP8/
IUTMQ2QzFYdc6yP+rPpYxLI=
=ySQs
-----END PGP SIGNATURE-----

Posted: Fri 18. Nov 2005, 00:29
by Oliver Georgi
UPDATE 21-11-2005: Here are the patched files:

for releases 1.2.3 and newer:
http://www.phpwcms.org/securityFix/Patc ... _1.2.3.zip

releases 1.1.9, 1.2, 1.2.1:
http://www.phpwcms.org/securityFix/Patc ... _1.1.9.zip

for latest release of 1.1-RC4 (you have to test yourself for older versions):
http://www.phpwcms.org/securityFix/Patc ... .1-RC4.zip


really: if your php is set very well it should be no real problem because it would not be possible to jump out of your web root. But better to have it fixed again.


Oliver

Posted: Fri 18. Nov 2005, 09:58
by volkman
Hi OG!
thx for the answer. I am using DEV 1.2.5. Should I use the patch aswell??

thanks
volkman

Posted: Fri 18. Nov 2005, 10:00
by pepe
for current releases 1.1.9 and up:

Posted: Fri 18. Nov 2005, 10:19
by jscholtysik
Hi Oliver,


so wie ich gesehen habe, unterscheiden sich die Patchdateien bis auf die "random_image.php" gar nicht von denen, die im CVS vom 16.11.2005 enthalten waren... :?:

Nachdem in der random_image.php Folgendes eingebunden wurde:

Code: Select all

require_once ('../config/phpwcms/conf.inc.php');
require_once ("../include/inc_lib/default.inc.php");
müssten doch auch diese zwei Dateien "conf.inc.php" und "default.inc.php" geändert worden und in diesem Paket mit drin sein, oder?


Joachim

Posted: Fri 18. Nov 2005, 12:13
by Kosse
Oliver Georgi wrote:Here are the patched files:

for current releases 1.1.9 and up:
http://www.phpwcms.org/securityFix/Patc ... _1.1.9.zip


really: if your php is set very well it should be no real problem because it would not be possible to jump out of your web root. But better to have it fixed again.


Oliver
Hi all,
does this apply to cvs versions 1.2.6 (pappnase's list)?
or maybe in next release?
Thx

If u do a search with google you'll find like 20+ sites reporting the bug, what tool do you use to say: ok, thank you, I've fixed it?
Is this Stefan Lochbihler your personal enemy Oliver?? :P ;) (don't understand why he couldn't just send you an email saying there is a minor flaw instead of posting it to like 20+ bug tracks???)

Cheers

Posted: Fri 18. Nov 2005, 13:47
by Oliver Georgi
It is included in CVS since 15.11.2005

Oliver

Posted: Fri 18. Nov 2005, 13:48
by Oliver Georgi
jscholtysik wrote:Hi Oliver,


so wie ich gesehen habe, unterscheiden sich die Patchdateien bis auf die "random_image.php" gar nicht von denen, die im CVS vom 16.11.2005 enthalten waren... :?:

Nachdem in der random_image.php Folgendes eingebunden wurde:

Code: Select all

require_once ('../config/phpwcms/conf.inc.php');
require_once ("../include/inc_lib/default.inc.php");
müssten doch auch diese zwei Dateien "conf.inc.php" und "default.inc.php" geändert worden und in diesem Paket mit drin sein, oder?


Joachim
Nein - die sind doch bereits in Deinem System vorhanden.

Oliver

Posted: Fri 18. Nov 2005, 15:57
by jscholtysik
Hallo Oliver,


im CVS-Paket vom 16.11.2005 ist die random_image.php 1752 Bytes groß und in Deinem Security-Update vom 18.11.2005 aber nur 1587 Bytes... ;-)

Und wie ich mit Winmerge sehen kann, hast Du folgenden Block herausgenommen:

Code: Select all

function readfile_chunked($filename,$retbytes=true) {
   $chunksize = 1*(1024*1024); // how many bytes per chunk
   $buffer = '';
   $cnt =0;
   $handle = @fopen($filename, 'rb');
   if ($handle === false) {
       return false;
   }
   while (!feof($handle)) {
       $buffer = @fread($handle, $chunksize);
       echo $buffer;
       flush();
       if ($retbytes) {
           $cnt += strlen($buffer);
       }
   }
   $status = @fclose($handle);
   if ($retbytes && $status) {
       return $cnt; // return num. bytes delivered like readfile() does.
   }
   return $status;
}
und dafür wahrscheinlich die Funktion(en) in die zwei include-Dateien eingebunden, oder?

Also müssten doch letztendlich mindestens zwei Dateien geändert worden sein, oder sehe ich das falsch?


Joachim

Posted: Fri 18. Nov 2005, 16:15
by Oliver Georgi
nein, die benötigte Funktion befindet sich bereits in einer der neu inkludierten Dateien.

Deswegen konnte diese heraus.

Oliver

Posted: Fri 18. Nov 2005, 18:09
by jscholtysik
OK, vielen Dank.


Joachim

Posted: Mon 21. Nov 2005, 15:57
by kiwix
Hallo,

warum ist dieser Thread nicht unter


http://www.phpwcms.de/forum/viewforum.php?f=13
phpwcms !!!Security Alert!!!
check this often to be informed about any security problem that was reported.
Moderator Admins

zu finden. In jedem anderen Forum geht doch so eine wichtige Information unter.

Gruß
KiWiX

Hello,

why isn't that threat at


http://www.phpwcms.de/forum/viewforum.php?f=13
phpwcms !!!Security Alert!!!
check this often to be informed about any security problem that was reported.
Moderator Admins

In ervey other forum, this important information will get lost.

Cheers
KiWiX

Posted: Mon 21. Nov 2005, 17:31
by Ben
The new login.php does not work for an installation of v. 1.1.9. After copying the new file, it says "Errors during login" when trying to log in.

EDIT: The new login.php does not work for versions 1.1.9 and 1.2.1, but it does work for 1.2.3 and 1.2.5.
Any ideas why it does not work for those 2 versions?

Posted: Mon 21. Nov 2005, 19:14
by Oliver Georgi
I can not recommend usage in 1.1.9 and 1.2.1 - not tested sorry. But check using WinMerge.

Oliver