Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31585
HistoryJan 02, 2015 - 12:00 a.m.

[KIS-2014-15] Osclass <= 3.4.2 (ajax.php) Local File Inclusion Vulnerability

2015-01-0200:00:00
vulners.com
28

Osclass <= 3.4.2 (ajax.php) Local File Inclusion Vulnerability

[-] Software Link:

http://osclass.org/

[-] Affected Versions:

Version 3.4.2 and probably prior versions.

[-] Vulnerability Description:

The vulnerable code is located in the /oc-includes/osclass/controller/ajax.php script:

  1.     case &#39;custom&#39;: // Execute via AJAX custom file
    
  2.         if&#40;Params::existParam&#40;&#39;route&#39;&#41;&#41; {
    
  3.             $routes = Rewrite::newInstance&#40;&#41;-&gt;getRoutes&#40;&#41;;
    
  4.             $rid = Params::getParam&#40;&#39;route&#39;&#41;;
    
  5.             $file = &#39;../&#39;;
    
  6.             if&#40;isset&#40;$routes[$rid]&#41; &amp;&amp; isset&#40;$routes[$rid][&#39;file&#39;]&#41;&#41; {
    
  7.                 $file = $routes[$rid][&#39;file&#39;];
    
  8.             }
    
  9.         } else {
    
  10.             // DEPRECATED: Disclosed path in URL is deprecated, use routes instead
    
  11.             // This will be REMOVED in 3.4
    
  12.             $file = Params::getParam&#40;&#39;ajaxfile&#39;&#41;;
    
  13.         }
    
  14.         if&#40;$file == &#39;&#39;&#41; {
    
  15.             echo json_encode&#40;array&#40;&#39;error&#39; =&gt; &#39;no action defined&#39;&#41;&#41;;
    
  16.             break;
    
  17.         }
    
  18.         // valid file?
    
  19.         if&#40; stripos&#40;$file, &#39;../&#39;&#41; !== false  || stripos&#40;$file, &#39;/admin/&#39;&#41; !== false &#41; ...
    
  20.             echo json_encode&#40;array&#40;&#39;error&#39; =&gt; &#39;no valid ajaxFile&#39;&#41;&#41;;
    
  21.             break;
    
  22.         }
    
  23.         if&#40; !file_exists&#40;osc_plugins_path&#40;&#41; . $file&#41; &#41; {
    
  24.             echo json_encode&#40;array&#40;&#39;error&#39; =&gt; &quot;ajaxFile doesn&#39;t exist&quot;&#41;&#41;;
    
  25.             break;
    
  26.         }
    
  27.         require_once osc_plugins_path&#40;&#41; . $file;
    

User input passed through the "ajaxfile" request parameter when handling a "custom" action within
the AJAX interface is not properly sanitized being used in a call to the "require_once()" function
at line 255. This can be exploited to include arbitrary local files and execute arbitrary PHP code
when the application is running on Windows.

[-] Solution:

Update to version 3.4.3 or later.

[-] Disclosure Timeline:

[29/09/2014] - Vendor notified
[29/09/2014] - Vendor response
[09/10/2014] - Version 3.4.3 released: http://blog.osclass.org/2014/10/09/osclass-3-4-3
[09/10/2014] - CVE number requested
[11/10/2014] - CVE number assigned
[31/12/2014] - Public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2014-8084 to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano.

[-] Original Advisory:

http://karmainsecurity.com/KIS-2014-15

Related for SECURITYVULNS:DOC:31585