Bugtraq mailing list archives
Jupiter Cms Multiple Vulnerabilities
From: admin () bugreport ir
Date: Mon, 24 Dec 2007 15:25:18 +0330
########################## WwW.BugReport.ir ###########################################
# # AmnPardaz Security Research & Penetration Testing Group # # Title: Jupiter Cms Multiple Vulnerabilities # Vendor: http://www.jupiterportal.com # Bugs: Local File Inclusion, Privileges Escalation # Vulnerable Version: 1.1.5ex (prior versions also may be affected) # Exploitation: Remote with browser # Exploit: Available # Fix Available: No! ################################################################################### #################### - Description: ####################Quote from vendor: "Jupiter is one of the most lightweight portal systems available and it`s open source".
#################### - Vulnerability: #################### Improper use of extract() result in multiple vulnerability Such as LFI & PE +-->Local File Inclusion (Remote Code Execution) Code Snippet: /index.php line#609-615 if(isset($n)) { if(file_exists("$n.php")) { if(strpos($n, "../") !== false) header("location: $PHP_SELF?i=error"); else include("$n.php"); }It's possible for an attacker to set $n variable! although we have a backward directory traversal check but because of index.php exists in the main directory of application Attacker can upload php codes with image/gif type and include it from images/avatars directory!
POC: http://localhost/jupiter/index.php?n=images/avatars/aa.gif%00 +-->Privileges EscalationThere is a logical weakness in $db->updateRow() which could result in privileges escalation in conjunction with extract() weakness in profile update process.
Code Snippet: /include/functions_db.php line#158-174 function updateRow($table,$array,$condition) { if(count($array)==0) return; $q="UPDATE $table SET "; foreach($array as $index=>$value) { if($value==NULL) $q.="`$index`=NULL, "; else { $value=mysql_escape_string($value); $q.="`$index`='$value', "; } } $q=substr($q,0,-2)." WHERE $condition LIMIT 1"; $this->query($q); } /modules/panel.php line#328-344 $tmp['email'] = $editemail; $tmp['url'] = $editurl; $tmp['flag'] = $editflag; $tmp['location'] = $editlocation; $tmp['age'] = $editage; $tmp['hideemail'] = $edithideemail; $tmp['calendarbday'] = $editcalendarbday; $tmp['msn'] = $editmsn; $tmp['yahoo'] = $edityahoo; $tmp['icq'] = $editicq; $tmp['aim'] = $editaim; $tmp['skype'] = $editskype; $tmp['signature'] = $editsignature; $tmp['aboutme']= $editaboutme; $tmp['templates']= $edittemplate; $db->updateRow("users",$tmp,"id={$user['id']}");$tmp[authorization] which handles users access level can be set at this point with $_GET ,$_POST or $_COOCKIE because of improper use of extract();
#################### - PoC : #################### http://www.bugreport.ir/?/23/exploit Original Advisory: http://www.bugreport.ir/?/23 #################### - Credit : #################### AmnPardaz Security Research & Penetration Testing Group Contact: admin[4t}bugreport{d0t]ir WwW.BugReport.ir WwW.AmnPardaz.com
Current thread:
- Jupiter Cms Multiple Vulnerabilities admin (Dec 24)