Mambo PHP-Portal Vulnerability ( By Mindwarper :: loggerat_private :: ) <------- -------> ---------------------- Vendor Information: ---------------------- Homepage : http://www.mamboserver.com Vendor : informed Mailed advisory: 09/01/03 Vender Response : None yet ---------------------- Affected Versions: ---------------------- 4.0.12 BETA and Prior ---------------------- Description: ---------------------- Mambo Site Server is a website portal tool written in php. A couple of vulnerabilies have been discovered including XSS and Remote Code Execution on the server with server permissions. A couple of includes and upload codes do not check for admin access or any type of restriction and allow attackers to run arbitrary code without permission. ---------------------- Vulnerability: ---------------------- 1. XSS exist in the following files and possibly in a couple more. administrator/popups/sectionswindow.php (type=web&link="<script>alert(document.cookie)</script> administrator/gallery/gallery.php (directory="<script>alert(document.cookie)</script>) administrator/gallery/navigation.php (directory="<script>alert(document.cookie)</script>) administrator/gallery/uploadimage.php (directory="<script>alert(document.cookie)</script>) administrator/gallery/view.php (path="<script>alert(document.cookie)</script>) administrator/upload.php (newbanner=1&choice="<script>alert(document.cookie)</script>) themes/mambosimple.php (detection=detected&sitename=</title><script>alert(document.cookie)</script> ) upload.php (type="<script>alert(document.cookie)</script>) emailfriend/emailarticle.php (id="<script>alert(document.cookie)</script>) emailfriend/emailfaq.php (id="<script>alert(document.cookie)</script>) emailfriend/emailnews.php (id="<script>alert(document.cookie)</script>) 2. Remote Arbitrary Code Execution is found in the gallery image uploader under administrator directory. administrator/gallery/uploadimage.php (these are also exploitable: upload.php and administrator/upload.php) Apperantly, this file allows any remote and local users to upload 'images' to the server without checking for any permissions. By tricking the badly written file extension security check, an attacker can upload any type of arbitrary files to the server. ---------------------- Exploit: ---------------------- The following code can be found inside uploadimage.php file. ********************************************************************** ... if (isset($fileupload)){ if ($directory!="uploadfiles"){ $base_Dir = "../../images/stories/"; }else{ $base_Dir = "../../uploadfiles/$Itemid/"; } $filename = split("\.", $userfile_name); if (eregi("[^0-9a-zA-Z_]", $filename[0])){ print "<SCRIPT> alert('File must only contain alphanumeric characters and no spaces please.'); window.history.go(-1);</SCRIPT>\n"; exit(); } if (file_exists($base_Dir.$userfile_name)){ print "<SCRIPT> alert('Image $userfile_name already exists.'); window.history.go(-1);</SCRIPT>\n"; exit(); } if ((!eregi(".gif", $userfile_name)) && (!eregi(".png", $userfile_name)) && (!eregi(".jpg", $userfile_name)) && (!eregi(".doc", $userfile_name))&& (!eregi(".xls", $userfile_name))&& (!eregi(".swf", $userfile_name)) && (!eregi(".pdf", $userfile_name))){ print "<SCRIPT>alert('The file must be pdf, gif, png, jpg, doc, xls or swf'); window.history.go(-1);</SCRIPT>\n"; exit(); } if ((eregi(".pdf", $userfile_name)) || (eregi(".doc", $userfile_name)) || (eregi(".xls", $userfile_name))){ if (!copy($userfile, $pdf_path.$userfile_name)){ echo "Failed to copy $userfile_name"; } } elseif (!copy($userfile, $base_Dir.$userfile_name)){ echo "Failed to copy $userfile_name"; } if (eregi(".jpg", $userfile_name)){ print "<SCRIPT>top.window.images.document.location.href=\"index.php?gal=0&image=jp g&directory=$directory&Itemid=$Itemid\"</SCRIPT>\n"; } elseif (eregi(".pdf", $userfile_name)){ print "<SCRIPT>top.window.images.document.location.href='pdf.php'</SCRIPT>\n"; } if (eregi(".png", $userfile_name)){ print "<SCRIPT>top.window.images.document.location.href=\"index.php?gal=0&image=pn g&directory=$directory&Itemid=$Itemid\"</SCRIPT>\n"; } else { print "<SCRIPT>top.window.images.document.location.href=\"index.php?gal=0&image=gi f&directory=$directory&Itemid=$Itemid\"</SCRIPT>\n"; } } ... ********************************************************************** First of all ---=--- if (isset($fileupload)){ if ($directory!="uploadfiles"){ $base_Dir = "../../images/stories/"; }else{ $base_Dir = "../../uploadfiles/$Itemid/"; } ---=--- Just sets the directory in which the files will be uploaded to. We can leave both $directory and $fileupload emtpy. Now lets examine the 'security check' that is included in this code: ---=--- if ((!eregi(".gif", $userfile_name)) && (!eregi(".png", $userfile_name)) && (!eregi(".jpg", $userfile_name)) && (!eregi(".doc", $userfile_name))&& (!eregi(".xls", $userfile_name))&& (!eregi(".swf", $userfile_name)) && (!eregi(".pdf", $userfile_name))){ ---=--- As you can or cannot see, the function eregi() only checks if the '.ext' are located inside the string $userfile_name, but does not check if they end with that extention. The attacker can just rename his file to r00t.jpg.php and upload without any warnings. After uploading the arbitrary file successfully, the attacker just needs to activate his code by calling /images/stories/r00t.jpg.php and he's got remote access to the server with server permissions. ---------------------- Solution: ---------------------- Please check the vendor's website for new patches. Meanwhile you should remove the following files from your server: upload.php administrator/upload.php administrator/gallery/uploadimage.php ---------------------- Greetz: ---------------------- Cyon, daemorhedron, Tt, Truckle, ps. <------- -------> _____________________________________________ Free email with personality! Over 200 domains! http://www.MyOwnEmail.com Looking for friendships,romance and more? http://www.MyOwnFriends.com
This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 20:57:06 PST