Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29764
HistorySep 09, 2013 - 12:00 a.m.

CakePHP AssetDispatcher Local File Inclusion Vulnerability

2013-09-0900:00:00
vulners.com
56
JSON

CVE Number: N/A (not assigned)
Title: CakePHP AssetDispatcher Local File Inclusion Vulnerability
Affected Software: Confirmed on CakePHP v2.3.7, v2.2.8
(prior versions may also be affected)
Credit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
Issue Status: v2.3.8 & 2.2.9 was released which fixes this vulnerability

Overview:
CakePHP is an open-source web application framework for PHP.
CakePHP (v2.3.7, 2.2.8 and possibly prior versions) is vulnerable to
LFI (Local File Inclusion) attack. Remote attacker can abuse this
vulnerability to steal files on the server or execute PHP commands,
if the target application has one or more themes or plugins. It is
caused by insufficient input validation in AssetDispatcher class.

Details:
CakePHP's AssetDispatcher class serves asset resources (such as image
files) stored under individual theme or plugin directory. This class
determines requested resource's path based on PATH_INFO of request URI.

To prevent attacks, this class validates PATH_INFO and stops loading
requested resource if PATH_INFO contains "…" sequence. But after the
validation step, PATH_INFO will be urldecoded in _getAssetFile(). This
allows attackers to bypass "…" check by urlencoded dot chars (%2e).

I present two examples of attack URI. In both examples, Cake serves the
content of /etc/passwd in HTTP response body.

UR1: http://victim-host/cakephp-2.3.7/theme/Test1/%2e.//%2e.//%2e.//%2e.
//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e./etc/passwd

Successful attack requires one or more themes on the target server.
In the example above, the target application must have "Test1" theme.
This restriction is due to file_exists() check in beforeDispatch().

URL2: http://victim-host/cakephp-2.3.7/DebugKit/%2e.//%2e.//%2e.//%2e.//
%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e./etc/passwd

Second example is almost same as first one. The difference is that
second one requires one or more Cake plugins with webroot directory.
The plugins must be actually enabled on the target server.

The requested resource is served via include statement, so that PHP
code execution by LFI is possible if the target Cake application
allows uploading files such as image, text and so on.

Timeline:
2013/07/16 Reported to CakePHP Security ML
2013/07/18 Vender announced v2.3.8 & 2.2.9
2013/08/13 Disclosure of this advisory

Recommendation:
Upgrade to the latest version.

Reference:
http://bakery.cakephp.org/articles/markstory/2013/07/18/cakephp_2_3_8_2_2_9_released

JSON