Saturday, September 4, 2010

MOAUB #4 SyndeoCMS Errors

For the last couple of days a group named Abysssec has been releasing a number of "0days" for their month of unpatched bugs event. Personally, I am not a fan of these types of events, and tend to lean more toward the "No more free bugs", but everyone has an opinion ...

Anyway, I finally got to sit down this morning and check out some of these issues out, and wanted to take a minute to make a correction to their research located @ which erroneously labels a fread issue as a file inclusion issue. Below is a small snippet from the  previously mentioned advisory.

This may confuse some people because the example given shows a url executing the "edit_css" branch while the "save_css" part is what is actually shown in their advisory. In addition to that minor discrepancy are a few more issues worth pointing out.

1] There are no checks for traversal sequences within "edit_css" at all, and that is why "..%2F" works to disclose file contents. A urlencoded character such as "%2F" is already translated into "/" by the time it reaches the affected code, and since a literal "%2F" is not translated during the fopen call you simply cannot bypass this with URI encoding.

2] This issue is NOT a file inclusion issue at all, and instead is a fopen/fread issue that allows an attacker to disclose file contents, and not actually "include" code that could be executed by the PHP interpreter.

3] The "save_css" bit is vulnerable to php code execution, which does not require any sort of directory traversal, due to a careless fopen/fwrite usage @ lines 73-75 of

I am not quite sure how this code execution bug got missed considering part of the actual vulnerable source was included in the original advisory.

4] To even reach the configuration functionality you must be authorized. However, using the Abysssec "add admin" CSRF bug this point becomes less of an obstacle for an attacker.

Also, thanks Abyssec, for using several code examples from my research without crediting me. I am glad that I could help ...

No comments:

Post a Comment