Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27196
HistoryOct 24, 2011 - 12:00 a.m.

Dolphin <= 7.0.7 (member_menu_queries.php) Remote PHP Code Injection

2011-10-2400:00:00
vulners.com
27

Dolphin <= 7.0.7 (member_menu_queries.php) Remote PHP Code Injection

authorโ€ฆ: EgiX
mailโ€ฆ: n0b0d13s[at]gmail[dot]com
software linkโ€ฆ: http://www.boonex.com/dolphin
affected versionsโ€ฆ: from 7.0.0 to 7.0.7

[-] vulnerable code in /member_menu_queries.php

  1.            case &#39;get_bubbles_values&#39; :
    
  2.                $sBubbles = &#40; isset&#40;$_GET[&#39;bubbles&#39;]&#41; &#41; ?  $_GET[&#39;bubbles&#39;] : null;
    
  3.                if &#40; $sBubbles &amp;&amp; $iMemberId &#41; {
    
  4.                    $aMemberInfo  = getProfileInfo&#40;$iMemberId&#41;;
    
  5.                    if&#40;$aMemberInfo[&#39;UserStatus&#39;] != &#39;offline&#39;&#41; {
    
  6.                        // update the date of last navigate;
    
  7.                        update_date_lastnav&#40;$iMemberId&#41;;
    
  8.                    }
    
  9.                    $aBubbles = array&#40;&#41;;
    
  10.                    $aBubblesItems = explode&#40;&#39;,&#39;, $sBubbles&#41;;
    
  11.                    if &#40; $aBubblesItems &amp;&amp; is_array&#40;$aBubblesItems&#41; &#41; {
    
  12.                        $bClearCache = false;
    
  13.                        foreach&#40; $aBubblesItems as $sValue&#41;
    
  14.                        {
    
  15.                            $aItem   = explode&#40;&#39;:&#39;, $sValue&#41;;
    
  16.                            $sBubbleCode = null;
    
  17.                            foreach&#40;$aMenuStructure as $sKey =&gt; $aItems&#41;
    
  18.                            {
    
  19.                                foreach&#40;$aItems as $iKey =&gt; $aSubItems&#41;
    
  20.                                {
    
  21.                                    if&#40; $aSubItems[&#39;Name&#39;] == $aItem[0]&#41; {
    
  22.                                        $sBubbleCode = $aSubItems[&#39;Bubble&#39;];
    
  23.                                        break;
    
  24.                                    }
    
  25.                                }
    
  26.                                if &#40;$sBubbleCode&#41; {
    
  27.                                    break;
    
  28.                                }
    
  29.                            }
    
  30.                            if &#40;$sBubbleCode&#41; {
    
  31.                                $sCode  = str_replace&#40;&#39;{iOldCount}&#39;, $aItem[1], $sBubbleCode&#41;;
    
  32.                                $sCode  = str_replace&#40;&#39;{ID}&#39;, $iMemberId, $sCode&#41;;
    
  33.                               eval&#40;$sCode&#41;;
    

When handling 'get_bubbles_values' action, input passed through $_GET['bubbles'] isn't properly sanitized
before being used in a call to eval() at line 100, this can be exploited to inject arbitrary PHP code.
Successful exploitation of this vulnerability requires authentication, but is always possible to create a
new account also if 'REGISTRATION BY INVITATION ONLY' is enabled, in this case an attacker could bypass
the restriction visiting first /index.php?idFriend=1 and after point to /join.php for a new registration.

[-] Disclosure timeline:

[25/09/2011] - Vulnerability discovered
[26/09/2011] - Issue reported to http://www.boonex.com/forums/topic/PHP-Code-Injection.htm
[26/09/2011] - A moderator hide the topic
[29/09/2011] - Vendor contacted again through http://www.boonex.com/help/contact
[04/10/2011] - Vendor replied that there is a designated place for this kind of report: "Dolphin Bug Reports" forum
[04/10/2011] - I replied that I've already posted in this forum, but the topic has been hidden
[05/10/2011] - Vendor reply: "It may has been hidden because it WASN'T posted in the proper place"
[05/10/2011] - My reply: "It has been hidden for security reason, the moderator told me to report the issue through http://www.boonex.com/help/contact&quot;
[08/10/2011] - Vendor replied that a patch will be released as soon as possible
[13/10/2011] - Vendor update released: http://www.boonex.com/n/dolphin-7-0-8-beta-1
[18/10/2011] - Public disclosure

[-] Prroof of concept:

http://www.exploit-db.com/exploits/17994/