authorโฆ: EgiX
mailโฆ: n0b0d13s[at]gmail[dot]com
software linkโฆ: http://www.boonex.com/dolphin
affected versionsโฆ: from 7.0.0 to 7.0.7
[-] vulnerable code in /member_menu_queries.php
case 'get_bubbles_values' :
$sBubbles = ( isset($_GET['bubbles']) ) ? $_GET['bubbles'] : null;
if ( $sBubbles && $iMemberId ) {
$aMemberInfo = getProfileInfo($iMemberId);
if($aMemberInfo['UserStatus'] != 'offline') {
// update the date of last navigate;
update_date_lastnav($iMemberId);
}
$aBubbles = array();
$aBubblesItems = explode(',', $sBubbles);
if ( $aBubblesItems && is_array($aBubblesItems) ) {
$bClearCache = false;
foreach( $aBubblesItems as $sValue)
{
$aItem = explode(':', $sValue);
$sBubbleCode = null;
foreach($aMenuStructure as $sKey => $aItems)
{
foreach($aItems as $iKey => $aSubItems)
{
if( $aSubItems['Name'] == $aItem[0]) {
$sBubbleCode = $aSubItems['Bubble'];
break;
}
}
if ($sBubbleCode) {
break;
}
}
if ($sBubbleCode) {
$sCode = str_replace('{iOldCount}', $aItem[1], $sBubbleCode);
$sCode = str_replace('{ID}', $iMemberId, $sCode);
eval($sCode);
When handling 'get_bubbles_values' action, input passed through $_GET['bubbles'] isn't properly sanitized
before being used in a call to eval() at line 100, this can be exploited to inject arbitrary PHP code.
Successful exploitation of this vulnerability requires authentication, but is always possible to create a
new account also if 'REGISTRATION BY INVITATION ONLY' is enabled, in this case an attacker could bypass
the restriction visiting first /index.php?idFriend=1 and after point to /join.php for a new registration.
[-] Disclosure timeline:
[25/09/2011] - Vulnerability discovered
[26/09/2011] - Issue reported to http://www.boonex.com/forums/topic/PHP-Code-Injection.htm
[26/09/2011] - A moderator hide the topic
[29/09/2011] - Vendor contacted again through http://www.boonex.com/help/contact
[04/10/2011] - Vendor replied that there is a designated place for this kind of report: "Dolphin Bug Reports" forum
[04/10/2011] - I replied that I've already posted in this forum, but the topic has been hidden
[05/10/2011] - Vendor reply: "It may has been hidden because it WASN'T posted in the proper place"
[05/10/2011] - My reply: "It has been hidden for security reason, the moderator told me to report the issue through http://www.boonex.com/help/contact"
[08/10/2011] - Vendor replied that a patch will be released as soon as possible
[13/10/2011] - Vendor update released: http://www.boonex.com/n/dolphin-7-0-8-beta-1
[18/10/2011] - Public disclosure
[-] Prroof of concept: