PHPWCMS - Directory traversal vulnerability,CSS attack

check this often to be informed about any security problem that was reported.
Post Reply
sumsum
Posts: 1
Joined: Tue 15. Nov 2005, 22:08

PHPWCMS - Directory traversal vulnerability,CSS attack

Post by sumsum »

SEE SECURITY FIX HERE!!!

please check this !

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Author: Stefan Lochbihler
Date: 14. November 2005
Software: PHPWCMS
Version: 1.2.5-DEV
URL: http://www.phpwcms.de
Attack: Directory traversal vulnerability,CSS



about:
phpwcms is an Open Source web content management system.
It is optimized for fast and easy setup and works on any standard webserver platform that supports PHP/MySQL and was tested successfully on Windows 2000/XP, MacOSX and LINUX.
phpwcms is perfect for professional, public and private users.
It is very easy to learn and gives you the flexibility to separate layout and content. Lots of powerful but simple implemented features assists publishers and web developers too.


info:
During an audit of the phpwcms project i find out that it is vulnerable to the following attacks.

[1]

First the login.php script is vulnerable to a directory traversal attack.

Through the following packet it is possible to read sensitive data.
http://www.target.com/phpwcms/login.php?
POST:form_lang=../../../../../../../../etc/passwd%00

[2]

The same bug exist at the random_image.php script located at /img.
Do the condition of the code its not possible to read a well aimed file.

Through the following packet it is possible to read sensitive data.
http://www.target.com/phpwcms/img/random_image.php?
GET:imgdir=../../../etc/

[3]

The act_newsletter.php located at /include/inc_act is vulnerable to a cross site scripting attack. Through this its possible to read sensitive cookie informations.

Through the following packet it is possible to read sensitive data.
http://www.target.com/phpwcms/include/i ... ter.php?i=
V:target@target.com:<script>alert(document.cookie)</script>)

//base64encode


[4]

If register_globals is set to on the same script is vulernable to a cross site scripting attack.

Through the following packet it is possible to read sensitive data.
http://www.target.com/phpwcms/include/i ... letter.php?
text=<script>alert(document.cookie)</script>


Vendor Status: The vendor is informed !


Discovered by Stefan Lochbihler


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDeRZmaZIyFDbShWQRAuQCAKCIkq8RVVe6XCRsZUEGVK9l/1lWNwCePP8/
IUTMQ2QzFYdc6yP+rPpYxLI=
=ySQs
-----END PGP SIGNATURE-----
User avatar
Oliver Georgi
Site Admin
Posts: 9888
Joined: Fri 3. Oct 2003, 22:22
Contact:

Post by Oliver Georgi »

UPDATE 21-11-2005: Here are the patched files:

for releases 1.2.3 and newer:
http://www.phpwcms.org/securityFix/Patc ... _1.2.3.zip

releases 1.1.9, 1.2, 1.2.1:
http://www.phpwcms.org/securityFix/Patc ... _1.1.9.zip

for latest release of 1.1-RC4 (you have to test yourself for older versions):
http://www.phpwcms.org/securityFix/Patc ... .1-RC4.zip


really: if your php is set very well it should be no real problem because it would not be possible to jump out of your web root. But better to have it fixed again.


Oliver
Last edited by Oliver Georgi on Mon 21. Nov 2005, 21:06, edited 2 times in total.
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
volkman
Posts: 179
Joined: Wed 13. Jul 2005, 12:52
Location: Hamburg, Germany

Post by volkman »

Hi OG!
thx for the answer. I am using DEV 1.2.5. Should I use the patch aswell??

thanks
volkman
pepe
Posts: 3954
Joined: Mon 19. Jan 2004, 13:46

Post by pepe »

for current releases 1.1.9 and up:
jscholtysik

Post by jscholtysik »

Hi Oliver,


so wie ich gesehen habe, unterscheiden sich die Patchdateien bis auf die "random_image.php" gar nicht von denen, die im CVS vom 16.11.2005 enthalten waren... :?:

Nachdem in der random_image.php Folgendes eingebunden wurde:

Code: Select all

require_once ('../config/phpwcms/conf.inc.php');
require_once ("../include/inc_lib/default.inc.php");
müssten doch auch diese zwei Dateien "conf.inc.php" und "default.inc.php" geändert worden und in diesem Paket mit drin sein, oder?


Joachim
User avatar
Kosse
Posts: 1066
Joined: Thu 9. Sep 2004, 12:08
Location: Brussels, Belgium
Contact:

Post by Kosse »

Oliver Georgi wrote:Here are the patched files:

for current releases 1.1.9 and up:
http://www.phpwcms.org/securityFix/Patc ... _1.1.9.zip


really: if your php is set very well it should be no real problem because it would not be possible to jump out of your web root. But better to have it fixed again.


Oliver
Hi all,
does this apply to cvs versions 1.2.6 (pappnase's list)?
or maybe in next release?
Thx

If u do a search with google you'll find like 20+ sites reporting the bug, what tool do you use to say: ok, thank you, I've fixed it?
Is this Stefan Lochbihler your personal enemy Oliver?? :P ;) (don't understand why he couldn't just send you an email saying there is a minor flaw instead of posting it to like 20+ bug tracks???)

Cheers
User avatar
Oliver Georgi
Site Admin
Posts: 9888
Joined: Fri 3. Oct 2003, 22:22
Contact:

Post by Oliver Georgi »

It is included in CVS since 15.11.2005

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
User avatar
Oliver Georgi
Site Admin
Posts: 9888
Joined: Fri 3. Oct 2003, 22:22
Contact:

Post by Oliver Georgi »

jscholtysik wrote:Hi Oliver,


so wie ich gesehen habe, unterscheiden sich die Patchdateien bis auf die "random_image.php" gar nicht von denen, die im CVS vom 16.11.2005 enthalten waren... :?:

Nachdem in der random_image.php Folgendes eingebunden wurde:

Code: Select all

require_once ('../config/phpwcms/conf.inc.php');
require_once ("../include/inc_lib/default.inc.php");
müssten doch auch diese zwei Dateien "conf.inc.php" und "default.inc.php" geändert worden und in diesem Paket mit drin sein, oder?


Joachim
Nein - die sind doch bereits in Deinem System vorhanden.

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
jscholtysik

Post by jscholtysik »

Hallo Oliver,


im CVS-Paket vom 16.11.2005 ist die random_image.php 1752 Bytes groß und in Deinem Security-Update vom 18.11.2005 aber nur 1587 Bytes... ;-)

Und wie ich mit Winmerge sehen kann, hast Du folgenden Block herausgenommen:

Code: Select all

function readfile_chunked($filename,$retbytes=true) {
   $chunksize = 1*(1024*1024); // how many bytes per chunk
   $buffer = '';
   $cnt =0;
   $handle = @fopen($filename, 'rb');
   if ($handle === false) {
       return false;
   }
   while (!feof($handle)) {
       $buffer = @fread($handle, $chunksize);
       echo $buffer;
       flush();
       if ($retbytes) {
           $cnt += strlen($buffer);
       }
   }
   $status = @fclose($handle);
   if ($retbytes && $status) {
       return $cnt; // return num. bytes delivered like readfile() does.
   }
   return $status;
}
und dafür wahrscheinlich die Funktion(en) in die zwei include-Dateien eingebunden, oder?

Also müssten doch letztendlich mindestens zwei Dateien geändert worden sein, oder sehe ich das falsch?


Joachim
User avatar
Oliver Georgi
Site Admin
Posts: 9888
Joined: Fri 3. Oct 2003, 22:22
Contact:

Post by Oliver Georgi »

nein, die benötigte Funktion befindet sich bereits in einer der neu inkludierten Dateien.

Deswegen konnte diese heraus.

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
jscholtysik

Post by jscholtysik »

OK, vielen Dank.


Joachim
kiwix
Posts: 65
Joined: Fri 25. Feb 2005, 09:40

Post by kiwix »

Hallo,

warum ist dieser Thread nicht unter


http://www.phpwcms.de/forum/viewforum.php?f=13
phpwcms !!!Security Alert!!!
check this often to be informed about any security problem that was reported.
Moderator Admins

zu finden. In jedem anderen Forum geht doch so eine wichtige Information unter.

Gruß
KiWiX

Hello,

why isn't that threat at


http://www.phpwcms.de/forum/viewforum.php?f=13
phpwcms !!!Security Alert!!!
check this often to be informed about any security problem that was reported.
Moderator Admins

In ervey other forum, this important information will get lost.

Cheers
KiWiX
Ben
Posts: 558
Joined: Wed 14. Jan 2004, 08:05
Location: Atlanta
Contact:

Post by Ben »

The new login.php does not work for an installation of v. 1.1.9. After copying the new file, it says "Errors during login" when trying to log in.

EDIT: The new login.php does not work for versions 1.1.9 and 1.2.1, but it does work for 1.2.3 and 1.2.5.
Any ideas why it does not work for those 2 versions?
User avatar
Oliver Georgi
Site Admin
Posts: 9888
Joined: Fri 3. Oct 2003, 22:22
Contact:

Post by Oliver Georgi »

I can not recommend usage in 1.1.9 and 1.2.1 - not tested sorry. But check using WinMerge.

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
Post Reply