[Full-disclosure] Advisory 07/2005: Jaws Multiple Remote Code Execution Vulnerabilities

2005-07-06T00:00:00
ID SECURITYVULNS:DOC:9076
Type securityvulns
Reporter Securityvulns
Modified 2005-07-06T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

                    Hardened-PHP Project
                    www.hardened-php.net

                  -= Security  Advisory =-



 Advisory: Jaws Multiple Remote Code Execution Vulnerabilities

Release Date: 2005/07/06 Last Modified: 2005/07/06 Author: Stefan Esser [sesser@hardened-php.net]

Application: Jaws <= 0.5.2 Severity: Multiple Security Holes in Jaws allow remote code execution Risk: Critical Vendor Status: Vendor doesn't consider this serious enough References: http://www.hardened-php.net/advisory-072005.php

Overview:

Quote from http://www.jaws.com.mx "Jaws is a Framework and Content Management System for building dynamic web sites. It aims to be User Friendly giving ease of use and lots of ways to customize web sites, but at the same time is Developer Frendly, it offers a simple and powerful framework to hack your own modules."

An audit of Jaws revealed that it uses XML_RPC and is therefore vulnerable to the known eval() hole. Additionally the Blog gadget is vulnerable to a remote URL inclusion vulnerability.

The vendor, although we contacted him credits Gulftech for the XML_RPC vulnerability. He also believes, that a remote URL inclusion vulnerability that is only exploitable with register_globals turned on, which is the default on most servers, is not serious.

Because of this they released an updated version of Jaws, that is still vulnerable to remote code execution through the Blog gadget.

Details:

A quick audit of Jaws revealed, that they are using the XMLRPC library. This audit also revealed that the file BlogModel.php of the Blog gadget suffers a remote URL include vulnerability triggered by the global variable 'path'.

Unfortunately for the users of Jaws, the vendor believes that a remote URL inclusion vulnerability is not serious and therefore they released an update to Jaws in response to our notification, that only upgrades the bundled XMLRPC library. This means, although they know better the Jaws developers expose their user to a serious security hole in their Blog gadget.

Impudent like they are, they are also crediting the XMLRPC finding to Gulftech, although we contacted them. But this is not uncommon. Secunia and some Linux vendors still claim, that Gulftech has informed the PEAR developers about this vulnerability, which is of course a lie.

Proof of Concept:

The Hardened-PHP Project is not going to release an exploit for this vulnerability to the public.

Disclosure Timeline:

  1. July 2005 - Contacted jaws vendor via email
  2. July 2005 - Vendor releases Jaws 0.5.2 which only upgrades the bundled XML_RPC
  3. July 2005 - Public disclosure

Recommendation:

Because there is actually no fix for this vulnerability we recommend that you simply do not use Jaws at all. Code that does require register_globals turned off to be secure should be avoided.

Alternatively you can simply install the Hardening-Patch to stop this and all other remote URL include vulnerabilities.

GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2005 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org

iD8DBQFCyykrRDkUzAqGSqERAreJAKDBozvIiKCUQD7B9rNiVbO3TgJNNwCfRy7n IsVdXTnI/l6CXqSIrpBSotw= =5Gdc -----END PGP SIGNATURE-----


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/