PHPWCMS - Directory traversal vulnerability,CSS attack
PHPWCMS - Directory traversal vulnerability,CSS attack
SEE SECURITY FIX HERE!!!
please check this !
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Author: Stefan Lochbihler
Date: 14. November 2005
Software: PHPWCMS
Version: 1.2.5-DEV
URL: http://www.phpwcms.de
Attack: Directory traversal vulnerability,CSS
about:
phpwcms is an Open Source web content management system.
It is optimized for fast and easy setup and works on any standard webserver platform that supports PHP/MySQL and was tested successfully on Windows 2000/XP, MacOSX and LINUX.
phpwcms is perfect for professional, public and private users.
It is very easy to learn and gives you the flexibility to separate layout and content. Lots of powerful but simple implemented features assists publishers and web developers too.
info:
During an audit of the phpwcms project i find out that it is vulnerable to the following attacks.
[1]
First the login.php script is vulnerable to a directory traversal attack.
Through the following packet it is possible to read sensitive data.
http://www.target.com/phpwcms/login.php?
POST:form_lang=../../../../../../../../etc/passwd%00
[2]
The same bug exist at the random_image.php script located at /img.
Do the condition of the code its not possible to read a well aimed file.
Through the following packet it is possible to read sensitive data.
http://www.target.com/phpwcms/img/random_image.php?
GET:imgdir=../../../etc/
[3]
The act_newsletter.php located at /include/inc_act is vulnerable to a cross site scripting attack. Through this its possible to read sensitive cookie informations.
Through the following packet it is possible to read sensitive data.
http://www.target.com/phpwcms/include/i ... ter.php?i=
V:target@target.com:<script>alert(document.cookie)</script>)
//base64encode
[4]
If register_globals is set to on the same script is vulernable to a cross site scripting attack.
Through the following packet it is possible to read sensitive data.
http://www.target.com/phpwcms/include/i ... letter.php?
text=<script>alert(document.cookie)</script>
Vendor Status: The vendor is informed !
Discovered by Stefan Lochbihler
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDeRZmaZIyFDbShWQRAuQCAKCIkq8RVVe6XCRsZUEGVK9l/1lWNwCePP8/
IUTMQ2QzFYdc6yP+rPpYxLI=
=ySQs
-----END PGP SIGNATURE-----
please check this !
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Author: Stefan Lochbihler
Date: 14. November 2005
Software: PHPWCMS
Version: 1.2.5-DEV
URL: http://www.phpwcms.de
Attack: Directory traversal vulnerability,CSS
about:
phpwcms is an Open Source web content management system.
It is optimized for fast and easy setup and works on any standard webserver platform that supports PHP/MySQL and was tested successfully on Windows 2000/XP, MacOSX and LINUX.
phpwcms is perfect for professional, public and private users.
It is very easy to learn and gives you the flexibility to separate layout and content. Lots of powerful but simple implemented features assists publishers and web developers too.
info:
During an audit of the phpwcms project i find out that it is vulnerable to the following attacks.
[1]
First the login.php script is vulnerable to a directory traversal attack.
Through the following packet it is possible to read sensitive data.
http://www.target.com/phpwcms/login.php?
POST:form_lang=../../../../../../../../etc/passwd%00
[2]
The same bug exist at the random_image.php script located at /img.
Do the condition of the code its not possible to read a well aimed file.
Through the following packet it is possible to read sensitive data.
http://www.target.com/phpwcms/img/random_image.php?
GET:imgdir=../../../etc/
[3]
The act_newsletter.php located at /include/inc_act is vulnerable to a cross site scripting attack. Through this its possible to read sensitive cookie informations.
Through the following packet it is possible to read sensitive data.
http://www.target.com/phpwcms/include/i ... ter.php?i=
V:target@target.com:<script>alert(document.cookie)</script>)
//base64encode
[4]
If register_globals is set to on the same script is vulernable to a cross site scripting attack.
Through the following packet it is possible to read sensitive data.
http://www.target.com/phpwcms/include/i ... letter.php?
text=<script>alert(document.cookie)</script>
Vendor Status: The vendor is informed !
Discovered by Stefan Lochbihler
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDeRZmaZIyFDbShWQRAuQCAKCIkq8RVVe6XCRsZUEGVK9l/1lWNwCePP8/
IUTMQ2QzFYdc6yP+rPpYxLI=
=ySQs
-----END PGP SIGNATURE-----
- Oliver Georgi
- Site Admin
- Posts: 9907
- Joined: Fri 3. Oct 2003, 22:22
- Contact:
UPDATE 21-11-2005: Here are the patched files:
for releases 1.2.3 and newer:
http://www.phpwcms.org/securityFix/Patc ... _1.2.3.zip
releases 1.1.9, 1.2, 1.2.1:
http://www.phpwcms.org/securityFix/Patc ... _1.1.9.zip
for latest release of 1.1-RC4 (you have to test yourself for older versions):
http://www.phpwcms.org/securityFix/Patc ... .1-RC4.zip
really: if your php is set very well it should be no real problem because it would not be possible to jump out of your web root. But better to have it fixed again.
Oliver
for releases 1.2.3 and newer:
http://www.phpwcms.org/securityFix/Patc ... _1.2.3.zip
releases 1.1.9, 1.2, 1.2.1:
http://www.phpwcms.org/securityFix/Patc ... _1.1.9.zip
for latest release of 1.1-RC4 (you have to test yourself for older versions):
http://www.phpwcms.org/securityFix/Patc ... .1-RC4.zip
really: if your php is set very well it should be no real problem because it would not be possible to jump out of your web root. But better to have it fixed again.
Oliver
Last edited by Oliver Georgi on Mon 21. Nov 2005, 21:06, edited 2 times in total.
Hi Oliver,
so wie ich gesehen habe, unterscheiden sich die Patchdateien bis auf die "random_image.php" gar nicht von denen, die im CVS vom 16.11.2005 enthalten waren...
Nachdem in der random_image.php Folgendes eingebunden wurde:
müssten doch auch diese zwei Dateien "conf.inc.php" und "default.inc.php" geändert worden und in diesem Paket mit drin sein, oder?
Joachim
so wie ich gesehen habe, unterscheiden sich die Patchdateien bis auf die "random_image.php" gar nicht von denen, die im CVS vom 16.11.2005 enthalten waren...
Nachdem in der random_image.php Folgendes eingebunden wurde:
Code: Select all
require_once ('../config/phpwcms/conf.inc.php');
require_once ("../include/inc_lib/default.inc.php");
Joachim
Hi all,Oliver Georgi wrote:Here are the patched files:
for current releases 1.1.9 and up:
http://www.phpwcms.org/securityFix/Patc ... _1.1.9.zip
really: if your php is set very well it should be no real problem because it would not be possible to jump out of your web root. But better to have it fixed again.
Oliver
does this apply to cvs versions 1.2.6 (pappnase's list)?
or maybe in next release?
Thx
If u do a search with google you'll find like 20+ sites reporting the bug, what tool do you use to say: ok, thank you, I've fixed it?
Is this Stefan Lochbihler your personal enemy Oliver?? (don't understand why he couldn't just send you an email saying there is a minor flaw instead of posting it to like 20+ bug tracks???)
Cheers
1.3 out, testing, testing...
Sponsoring 4 phpwcms Blog and Usermanagement
Sponsoring 4 phpwcms Blog and Usermanagement
- Oliver Georgi
- Site Admin
- Posts: 9907
- Joined: Fri 3. Oct 2003, 22:22
- Contact:
- Oliver Georgi
- Site Admin
- Posts: 9907
- Joined: Fri 3. Oct 2003, 22:22
- Contact:
Nein - die sind doch bereits in Deinem System vorhanden.jscholtysik wrote:Hi Oliver,
so wie ich gesehen habe, unterscheiden sich die Patchdateien bis auf die "random_image.php" gar nicht von denen, die im CVS vom 16.11.2005 enthalten waren...
Nachdem in der random_image.php Folgendes eingebunden wurde:
müssten doch auch diese zwei Dateien "conf.inc.php" und "default.inc.php" geändert worden und in diesem Paket mit drin sein, oder?Code: Select all
require_once ('../config/phpwcms/conf.inc.php'); require_once ("../include/inc_lib/default.inc.php");
Joachim
Oliver
Hallo Oliver,
im CVS-Paket vom 16.11.2005 ist die random_image.php 1752 Bytes groß und in Deinem Security-Update vom 18.11.2005 aber nur 1587 Bytes...
Und wie ich mit Winmerge sehen kann, hast Du folgenden Block herausgenommen:
und dafür wahrscheinlich die Funktion(en) in die zwei include-Dateien eingebunden, oder?
Also müssten doch letztendlich mindestens zwei Dateien geändert worden sein, oder sehe ich das falsch?
Joachim
im CVS-Paket vom 16.11.2005 ist die random_image.php 1752 Bytes groß und in Deinem Security-Update vom 18.11.2005 aber nur 1587 Bytes...
Und wie ich mit Winmerge sehen kann, hast Du folgenden Block herausgenommen:
Code: Select all
function readfile_chunked($filename,$retbytes=true) {
$chunksize = 1*(1024*1024); // how many bytes per chunk
$buffer = '';
$cnt =0;
$handle = @fopen($filename, 'rb');
if ($handle === false) {
return false;
}
while (!feof($handle)) {
$buffer = @fread($handle, $chunksize);
echo $buffer;
flush();
if ($retbytes) {
$cnt += strlen($buffer);
}
}
$status = @fclose($handle);
if ($retbytes && $status) {
return $cnt; // return num. bytes delivered like readfile() does.
}
return $status;
}
Also müssten doch letztendlich mindestens zwei Dateien geändert worden sein, oder sehe ich das falsch?
Joachim
- Oliver Georgi
- Site Admin
- Posts: 9907
- Joined: Fri 3. Oct 2003, 22:22
- Contact:
Hallo,
warum ist dieser Thread nicht unter
http://www.phpwcms.de/forum/viewforum.php?f=13
phpwcms !!!Security Alert!!!
check this often to be informed about any security problem that was reported.
Moderator Admins
zu finden. In jedem anderen Forum geht doch so eine wichtige Information unter.
Gruß
KiWiX
Hello,
why isn't that threat at
http://www.phpwcms.de/forum/viewforum.php?f=13
phpwcms !!!Security Alert!!!
check this often to be informed about any security problem that was reported.
Moderator Admins
In ervey other forum, this important information will get lost.
Cheers
KiWiX
warum ist dieser Thread nicht unter
http://www.phpwcms.de/forum/viewforum.php?f=13
phpwcms !!!Security Alert!!!
check this often to be informed about any security problem that was reported.
Moderator Admins
zu finden. In jedem anderen Forum geht doch so eine wichtige Information unter.
Gruß
KiWiX
Hello,
why isn't that threat at
http://www.phpwcms.de/forum/viewforum.php?f=13
phpwcms !!!Security Alert!!!
check this often to be informed about any security problem that was reported.
Moderator Admins
In ervey other forum, this important information will get lost.
Cheers
KiWiX
The new login.php does not work for an installation of v. 1.1.9. After copying the new file, it says "Errors during login" when trying to log in.
EDIT: The new login.php does not work for versions 1.1.9 and 1.2.1, but it does work for 1.2.3 and 1.2.5.
Any ideas why it does not work for those 2 versions?
EDIT: The new login.php does not work for versions 1.1.9 and 1.2.1, but it does work for 1.2.3 and 1.2.5.
Any ideas why it does not work for those 2 versions?
- Oliver Georgi
- Site Admin
- Posts: 9907
- Joined: Fri 3. Oct 2003, 22:22
- Contact: