Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18728
HistoryDec 24, 2007 - 12:00 a.m.

Jupiter Cms Multiple Vulnerabilities

2007-12-2400:00:00
vulners.com
24
JSON

########################## WwW.BugReport.ir
###########################################

AmnPardaz Security Research & Penetration Testing Group

Title: Jupiter Cms Multiple Vulnerabilities

Vendor: http://www.jupiterportal.com

Bugs: Local File Inclusion, Privileges Escalation

Vulnerable Version: 1.1.5ex (prior versions also may be affected)

Exploitation: Remote with browser

Exploit: Available

Fix Available: No!

###################################################################################

####################

  • Description:
    ####################

Quote from vendor: "Jupiter is one of the most lightweight portal
systems available and it`s open source".

####################

  • Vulnerability:
    ####################

Improper use of extract() result in multiple vulnerability Such as LFI & PE

±->Local File Inclusion (Remote Code Execution)

Code Snippet:

/index.php line#609-615

if(isset($n))
{
if(file_exists("$n.php"))
{
if(strpos($n, "…/") !== false) header("location: $PHP_SELF?i=error");
else include("$n.php");
}

It's possible for an attacker to set $n variable! although we have a
backward directory traversal check but because of index.php exists in
the main directory of application
Attacker can upload php codes with image/gif type and include it from
images/avatars directory!

POC: http://localhost/jupiter/index.php?n=images/avatars/aa.gif%00

±->Privileges Escalation

There is a logical weakness in $db->updateRow() which could result in
privileges escalation in conjunction with extract() weakness in
profile update process.

Code Snippet:

/include/functions_db.php line#158-174

function updateRow($table,$array,$condition)
{
if(count($array)==0) return;
$q="UPDATE $table SET ";
foreach($array as $index=>$value)
{
if($value==NULL)
$q.="`$index`=NULL, ";
else
{
$value=mysql_escape_string($value);
$q.="`$index`='$value', ";
}
}
$q=substr($q,0,-2)." WHERE $condition LIMIT 1";
$this->query($q);
}

/modules/panel.php line#328-344

            $tmp['email'] = $editemail;
            $tmp['url'] = $editurl;
            $tmp['flag'] = $editflag;
            $tmp['location'] = $editlocation;
            $tmp['age'] = $editage;
            $tmp['hideemail'] = $edithideemail;
            $tmp['calendarbday'] = $editcalendarbday;
            $tmp['msn'] = $editmsn;
            $tmp['yahoo'] = $edityahoo;
            $tmp['icq'] = $editicq;
            $tmp['aim'] = $editaim;
            $tmp['skype'] = $editskype;
            $tmp['signature'] = $editsignature;
            $tmp['aboutme']= $editaboutme;
            $tmp['templates']= $edittemplate;

            $db->updateRow("users",$tmp,"id={$user['id']}");

$tmp[authorization] which handles users access level can be set at
this point with $_GET ,$_POST or $_COOCKIE because of improper use of
extract();

####################

####################

JSON