Sandbox 2.0.3 Multiple Remote Vulnerabilities
Name Sandbox
Vendor http://www.iguanadons.net
Versions Affected 2.0.3
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-07-07
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
________________________
Sandbox is a personal website package that provides you
with a blog, image gallery, file downloads area, and the
ability to create miscellaneous custom webpages.
II. DESCRIPTION
_______________
Some parameters are not sanitised before being used in
SQL queries and in danger PHP's functions.
The vulnerabilities are reported in version 2.0.3. Other
versions may also be affected.
III. ANALYSIS
_____________
Summary:
A) Authentication Bypass
B) Arbitrary File Upload
C) Local File Inclusion
D) SQL Injection
A) Authentication Bypass
________________________
The sandbox_pass's cookie value in global.php is not
properly sanitised before being used in a SQL query.
Since this value is used for the authentication
system, the injection can be used to bypass it.
Successful exploitation requires that "magic_quotes_gpc"
is disabled.
B) Arbitrary File Upload
________________________
When a file is sent to blog.php (and also to profile.php)
a bad check for extension is did. The check consists in
dividing the file's name in substrings delimited by a
point and checking if the second substring's value is
present in the white list. This method works fine for a
file with a single extension, but if an attacker uses a
file with a double extension, this method doesn't work
well. The following is the affected code in blog.php:
$fname = $this->files['image_file']['tmp_name'];
$system = explode( '.', $this->files['image_file']['name'] );
$system[1] = strtolower($system[1]);
if ( !preg_match( '/jpg|jpeg|png|gif/', $system[1] ) ) {
NO UPLOAD
} else {
UPLOAD
}
If the file's name is evil.jpg.php: $system[1] = jpg
C) Local File Inclusion
_______________________
The a parameter in admin.php is not properly sanitised
before being used in the require() PHP's function.
This can be exploited to include arbitrary files from
local resources via directory traversal attacks and
URL-encoded NULL bytes.
D) SQL Injection
________________
The p parameter in modules/page.php is not properly
sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting
arbitrary SQL code.
IV. SAMPLE CODE
_______________
A) Authentication Bypass
cookie: sandbox_pass = 1' OR '1'='1'#
cookie: sandbox_user = userid (1 for admin)
B) Arbitrary File Upload
Upload a file with a double extension.
C) Local File Inclusion
http://site/path/admin.php?a=../../../../../../../etc/passwd%00
D) SQL Injection
http://site/path/index.php?a=page&p=-1 UNION SELECT 1,2,3,4,5,6,7,CONCAT(user_name,0x3a,user_password) FROM sb_users
V. FIX
______
No fix.
暂无评论