QuiXplorer 2.41beta LFI / Traversal / Code Execution

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2009-003  
- Original release date: March 2nd, 2009  
- Last revised: December 17th, 2009  
- Discovered by: Juan Galiana Lara  
- Severity: 9/10 (CVSS scored)  
=============================================  
  
I. VULNERABILITY  
-------------------------  
QuiXplorer <= 2.4.1beta standalone and as a Mambo/Joomla component  
'lang' parameter Remote Code Execution Vulnerability.  
  
II. BACKGROUND  
-------------------------  
QuiXplorer is a multi-user, web-based file-manager. It allows you to  
manage and/or share files over the Internet, or an Intranet.  
It's currently available in many languages and with GPL and MPL  
licenses and referred in other open source projects.  
  
III. DESCRIPTION  
-------------------------  
QuiXplorer is prone to a local file include and directory traversal  
vulnerability because the application fails to sufficiently sanitize  
user-supplied input. The parameter 'lang' is not properly sanitized.  
Since the application allows to upload files to the server could be  
combined with previous vulnerabilities to allow an attacker to execute  
arbitrary code remotely in the context of the webserver. This may aid  
in launching further attacks.  
  
In order to perform the attack, an attacker could upload a PHP  
malicious code (upload action is allowed by the application), then  
exploit a bug to know the full path to the local file recently  
uploaded (if 'display_errors' directive is set to On) and then include  
it exploiting the local file include and directory traversal flaw  
(using ../../path/to/file) to finally execute the PHP code.  
Successfully exploitation of this flaw may aid in the compromise of  
the server in the context of the webserver.  
  
IV. PROOF OF CONCEPT  
-------------------------  
Here is the affected code:  
  
80 // Get Language  
81  
if(isset($GLOBALS['__GET']["lang"]))$GLOBALS["lang"]=$GLOBALS['__GET']["lang"];  
82  
elseif(isset($GLOBALS['__POST']["lang"]))$GLOBALS["lang"]=$GLOBALS['__POST']["lang"];  
83  
//------------------------------------------------------------------------------  
84 // Necessary files  
85 ob_start(); // prevent unwanted output  
86 require "./.config/conf.php";  
87 if(isset($GLOBALS["lang"])) $GLOBALS["language"]=$GLOBALS["lang"];  
88 require "./_lang/".$GLOBALS["language"].".php"; <----- HERE  
89 require "./_lang/".$GLOBALS["language"]."_mimes.php"; <----- HERE  
  
Here is a poc:  
PoC: http://site/path/?lang=../path/to/malicious_uploaded_code  
  
Exploiting this bug is possible to include PHP files, allowing to  
execute any arbitrary code code he want.  
Also is possible to hide the crafted parameters data including it  
through POST method, making detection more difficult to site  
administrator.  
  
About the full path disclosure, if the webserver has the show_errors  
directive set to 'On', try:  
  
http://site/path/?lang=no_exists  
  
And the application return:  
  
Warning: require(./_lang/no_exists.php) [function.require]: failed to  
open stream: No such file or directory in  
/var/www/quix/.include/init.php on line 88  
Fatal error: require() [function.require]: Failed opening required  
'./_lang/no_exists.php'  
(include_path='.:/usr/share/php:/usr/share/pear') in  
/var/www/quix/.include/init.php on line 88  
  
Revealing the path to the home directory of the filemanager  
  
V. BUSINESS IMPACT  
-------------------------  
An attacker could view any file or execute arbitrary code remotely  
into the context of the webserver.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
All version of QuiXplorer are affected.  
At the moment <= 2.4.1beta.  
  
VII. SOLUTION  
-------------------------  
As developers give no response we add the mitigation for its solution.  
To patch only change this lines...  
  
From:  
81 if(isset($GLOBALS['__GET']["lang"]))  
$GLOBALS["lang"]=$GLOBALS['__GET']["lang"];  
82 elseif(isset($GLOBALS['__POST']["lang"]))  
$GLOBALS["lang"]=$GLOBALS['__POST']["lang"];  
  
To:  
81 if(isset($GLOBALS['__GET']["lang"]))  
$GLOBALS["lang"]=basename($GLOBALS['__GET']["lang"]);  
82 elseif(isset($GLOBALS['__POST']["lang"]))  
$GLOBALS["lang"]=basename($GLOBALS['__POST']["lang"]);  
  
Parsing the parameters with basename() function the flaw its fixed.  
  
And to prevent the full path disclosure...  
  
From:  
88 require "./_lang/".$GLOBALS["language"].".php";  
89 require "./_lang/".$GLOBALS["language"]."_mimes.php";  
  
To:  
88 if(file_exists("./_lang/".$GLOBALS["language"].".php")) require  
"./_lang/".$GLOBALS["language"].".php";  
89 else require "./_lang/en.php";  
90 if(file_exists("./_lang/".$GLOBALS["language"]."_mimes.php"))  
require "./_lang/".$GLOBALS["language"]."_mimes.php";  
91 else require "./_lang/en_mimes.php";  
  
VIII. REFERENCES  
-------------------------  
http://sourceforge.net/projects/quixplorer/  
http://www.isecauditors.com  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered  
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
March 02, 2009: Initial release.  
December 17, 2009: Last revision.  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
March 02, 2009: Vulnerability acquired by  
Internet Security Auditors (www.isecauditors.com)  
March 03, 2009: QuiXplorer contacted. No answer.  
December 13, 2009: QuiXplorer contacted again. No answer.  
December 17, 2009: Sent to lists with remediation proposal.  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
Internet Security Auditors accepts no responsibility for any damage  
caused by the use or misuse of this information.  
`