BugTraq
Dolphin <= 7.0.7 (member_menu_queries.php) Remote PHP Code Injection Oct 18 2011 12:58PM
n0b0d13s gmail com

--------------------------------------------------------------------
Dolphin <= 7.0.7 (member_menu_queries.php) Remote PHP Code Injection
--------------------------------------------------------------------

author...............: EgiX
mail.................: n0b0d13s[at]gmail[dot]com
software link........: http://www.boonex.com/dolphin
affected versions....: from 7.0.0 to 7.0.7

[-] vulnerable code in /member_menu_queries.php

61. case 'get_bubbles_values' :
62. $sBubbles = ( isset($_GET['bubbles']) ) ? $_GET['bubbles'] : null;
63. if ( $sBubbles && $iMemberId ) {
64.
65. $aMemberInfo = getProfileInfo($iMemberId);
66. if($aMemberInfo['UserStatus'] != 'offline') {
67. // update the date of last navigate;
68. update_date_lastnav($iMemberId);
69. }
70.
71. $aBubbles = array();
72. $aBubblesItems = explode(',', $sBubbles);
73.
74. if ( $aBubblesItems && is_array($aBubblesItems) ) {
75. $bClearCache = false;
76. foreach( $aBubblesItems as $sValue)
77. {
78. $aItem = explode(':', $sValue);
79.
80. $sBubbleCode = null;
81. foreach($aMenuStructure as $sKey => $aItems)
82. {
83. foreach($aItems as $iKey => $aSubItems)
84. {
85. if( $aSubItems['Name'] == $aItem[0]) {
86. $sBubbleCode = $aSubItems['Bubble'];
87. break;
88. }
89. }
90.
91. if ($sBubbleCode) {
92. break;
93. }
94. }
95.
96. if ($sBubbleCode) {
97. $sCode = str_replace('{iOldCount}', $aItem[1], $sBubbleCode);
98. $sCode = str_replace('{ID}', $iMemberId, $sCode);
99.
100. eval($sCode);

When handling 'get_bubbles_values' action, input passed through $_GET['bubbles'] isn't properly sanitized
before being used in a call to eval() at line 100, this can be exploited to inject arbitrary PHP code.
Successful exploitation of this vulnerability requires authentication, but is always possible to create a
new account also if 'REGISTRATION BY INVITATION ONLY' is enabled, in this case an attacker could bypass
the restriction visiting first /index.php?idFriend=1 and after point to /join.php for a new registration.

[-] Disclosure timeline:

[25/09/2011] - Vulnerability discovered
[26/09/2011] - Issue reported to http://www.boonex.com/forums/topic/PHP-Code-Injection.htm
[26/09/2011] - A moderator hide the topic
[29/09/2011] - Vendor contacted again through http://www.boonex.com/help/contact
[04/10/2011] - Vendor replied that there is a designated place for this kind of report: "Dolphin Bug Reports" forum
[04/10/2011] - I replied that I've already posted in this forum, but the topic has been hidden
[05/10/2011] - Vendor reply: "It may has been hidden because it WASN'T posted in the proper place"
[05/10/2011] - My reply: "It has been hidden for security reason, the moderator told me to report the issue through http://www.boonex.com/help/contact"
[08/10/2011] - Vendor replied that a patch will be released as soon as possible
[13/10/2011] - Vendor update released: http://www.boonex.com/n/dolphin-7-0-8-beta-1
[18/10/2011] - Public disclosure

[-] Prroof of concept:

http://www.exploit-db.com/exploits/17994/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus