Computer Security

Security Advisory: Jupiter Cms Multiple Vulnerabilities
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  Logaholic Web Analytics Software

  [waraxe-2007-SA#060] - Sensitive info disclosure in CuteNews <= 1.4.5

  [ISecAuditors Security Advisories] Tikiwiki CMS is vulnerable to path traversal attack

  Tikiwiki 1.9.8.3 tiki-special_chars.
php XSS Vulnerability

From:admin_(at)_bugreport.ir <admin_(at)_bugreport.ir>
Date:24.12.2007
Subject:Jupiter Cms Multiple Vulnerabilities


########################## WwW.BugReport.ir  
###########################################
#
#      AmnPardaz Security Research & Penetration Testing Group
#
# Title: Jupiter Cms Multiple Vulnerabilities
# Vendor: http://www.jupiterportal.com
# Bugs: Local File Inclusion, Privileges Escalation
# Vulnerable Version: 1.1.5ex (prior versions also may be affected)
# Exploitation: Remote with browser
# Exploit: Available
# Fix Available: No!
#################################################################################
##


####################
- Description:
####################

Quote from vendor: "Jupiter is one of the most lightweight portal  
systems available and it`s open source".

####################
- Vulnerability:
####################

Improper use of extract() result in multiple vulnerability Such as LFI & PE

+-->Local File Inclusion (Remote Code Execution)

Code Snippet:

/index.php line#609-615

if(isset($n))
{
       if(file_exists("$n.php"))
       {
               if(strpos($n, "../") !== false) header("location: $PHP_SELF?i=error");
               else include("$n.php");
       }

It's possible for an attacker to set $n variable! although we have a  
backward directory traversal check but because of index.php exists in  
the main directory of application
Attacker can upload php codes with image/gif type and include it from  
images/avatars directory!

POC: http://localhost/jupiter/index.php?n=images/avatars/aa.gif%00

+-->Privileges Escalation

There is a logical weakness in $db->updateRow() which could result in  
privileges escalation in conjunction with extract() weakness in  
profile update process.

Code Snippet:

/include/functions_db.php line#158-174

function updateRow($table,$array,$condition)
       {
               if(count($array)==0) return;
               $q="UPDATE $table SET ";
               foreach($array as $index=>$value)
               {
                       if($value==NULL)
                               $q.="`$index`=NULL, ";
                       else
                       {
                               $value=mysql_escape_string($value);
                               $q.="`$index`='$value', ";
                       }
               }
               $q=substr($q,0,-2)." WHERE $condition LIMIT 1";
               $this->query($q);
       }

/modules/panel.php line#328-344

               $tmp['email'] = $editemail;
               $tmp['url'] = $editurl;
               $tmp['flag'] = $editflag;
               $tmp['location'] = $editlocation;
               $tmp['age'] = $editage;
               $tmp['hideemail'] = $edithideemail;
               $tmp['calendarbday'] = $editcalendarbday;
               $tmp['msn'] = $editmsn;
               $tmp['yahoo'] = $edityahoo;
               $tmp['icq'] = $editicq;
               $tmp['aim'] = $editaim;
               $tmp['skype'] = $editskype;
               $tmp['signature'] = $editsignature;
               $tmp['aboutme']= $editaboutme;
               $tmp['templates']= $edittemplate;

               $db->updateRow("users",$tmp,
"id={$user['id']}");

$tmp[authorization] which handles users access level can be set at  
this point with $_GET ,$_POST or $_COOCKIE because of improper use of  
extract();

####################
- PoC :
####################
http://www.bugreport.ir/?/23/exploit
Original Advisory: http://www.bugreport.ir/?/23

####################
- Credit :
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 


Rating@Mail.ru