Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24204
HistoryJul 11, 2010 - 12:00 a.m.

Sandbox 2.0.3 Multiple Remote Vulnerabilities

2010-07-1100:00:00
vulners.com
17
JSON

Sandbox 2.0.3 Multiple Remote Vulnerabilities

Name Sandbox
Vendor http://www.iguanadons.net
Versions Affected 2.0.3

Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-07-07

X. INDEX

I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX

I. ABOUT THE APPLICATION

Sandbox is a personal website package that provides you
with a blog, image gallery, file downloads area, and the
ability to create miscellaneous custom webpages.

II. DESCRIPTION

Some parameters are not sanitised before being used in
SQL queries and in danger PHP's functions.
The vulnerabilities are reported in version 2.0.3. Other
versions may also be affected.

III. ANALYSIS

Summary:

A) Authentication Bypass
B) Arbitrary File Upload
C) Local File Inclusion
D) SQL Injection

A) Authentication Bypass

The sandbox_pass's cookie value in global.php is not
properly sanitised before being used in a SQL query.
Since this value is used for the authentication
system, the injection can be used to bypass it.
Successful exploitation requires that "magic_quotes_gpc"
is disabled.

B) Arbitrary File Upload

When a file is sent to blog.php (and also to profile.php)
a bad check for extension is did. The check consists in
dividing the file's name in substrings delimited by a
point and checking if the second substring's value is
present in the white list. This method works fine for a
file with a single extension, but if an attacker uses a
file with a double extension, this method doesn't work
well. The following is the affected code in blog.php:

$fname = $this->files['image_file']['tmp_name'];
$system = explode( '.', $this->files['image_file']['name'] );
$system[1] = strtolower($system[1]);

if ( !preg_match( '/jpg|jpeg|png|gif/', $system[1] ) ) {
NO UPLOAD
} else {
UPLOAD
}

If the file's name is evil.jpg.php: $system[1] = jpg

C) Local File Inclusion

The a parameter in admin.php is not properly sanitised
before being used in the require() PHP's function.
This can be exploited to include arbitrary files from
local resources via directory traversal attacks and
URL-encoded NULL bytes.

D) SQL Injection

The p parameter in modules/page.php is not properly
sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting
arbitrary SQL code.

IV. SAMPLE CODE

A) Authentication Bypass

cookie: sandbox_pass = 1' OR '1'='1'#
cookie: sandbox_user = userid (1 for admin)

B) Arbitrary File Upload

Upload a file with a double extension.

C) Local File Inclusion

http://site/path/admin.php?a=../../../../../../../etc/passwd%00

D) SQL Injection

http://site/path/index.php?a=page&p=-1 UNION SELECT 1,2,3,4,5,6,7,CONCAT(user_name,0x3a,user_password) FROM
sb_users

V. FIX

No fix.

JSON