Advisory 05/2004: phpMyFAQ local file inclusion vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
e-matters GmbH
www.e-matters.de
-= Security Advisory =-
Advisory: phpMyFAQ local file inclusion vulnerability
Release Date: 2004/05/18
Last Modified: 2004/05/18
Author: Stefan Esser [s.esser@xxxxxxxxxxxx]
Application: phpMyFAQ stable release <= 1.3.12
phpMyFAQ developer release <= 1.4.0-alpha1
Severity: A vulnerability within phpMyFAQ allows inclusion of
arbitrary local files
Risk: Medium
Vendor Status: Vendor has released a bugfixed version.
Reference: http://security.e-matters.de/advisories/052004.html
Overview:
Quote from: http://www.phpmyfaq.de
"phpMyFAQ is a multilingual, completely database-driven FAQ-system. For
the time being a MySQL database (support for other databases is under
development) is used to store all data, PHP 4.1.0 (or higher) is needed
in order to access this data. phpMyFAQ also offers a Content Management-
System, flexible multi-user support, a news-system, user-tracking,
language modules, templates, extensive XML-support, PDF-support, a
backup-system and an easy to use installation script."
Within phpMyFAQ an input validation problem exists which allows an
attacker to include arbitrary local files. With known tricks to inject
PHP code into log or session files this could lead to remote PHP code
execution.
Details:
While doing a fast audit of phpMyFAQ 1.3.12 and phpMyFAQ 1.4.0-alpha1
in both versions two different input validation problems were discovered.
Affected is in both cases index.php but in different places.
phpMyFAQ 1.3.12 constructs a template filename with userinput from the
$action variable. It prefixes some directory name and adds an extension.
This means it is not possible to include arbitrary remote files, but it
is possible to use relative paths combines with '\0' string cut attacks
to view any file on the system which is accessible and under some
circumstances this could result in arbitrary PHP code execution if the
attacker is able to inject PHP code into known files.
phpMyFAQ 1.4.0-alpha1 fails to validate that a supplied language code
is valid. When construction a language include filename the user supplied
$lang variable is used without sanity checks. Similar to the previous
issue this allows to view any file on the system. Exploiting this flaw
is possible because realpath supports paths like "dir/file.ext/../../.."
Proof of Concept:
e-matters is not going to release an exploit for this vulnerability to
the public.
Disclosure Timeline:
16. May 2004 - Vendor was notified via email.
18. May 2003 - Vendor has released new versions fixing this problem.
Recommendation:
To protect your server against similar problems with include and require
statements and remote files or '\0' cut attacks I recommened you have a
look at http://www.hardened-php.net which catches remote file includes
and '\0' attacks before they could cause damage.
GPG-Key:
Please notice that e-matters advisories will be signed from now
with this NEW key
http://security.e-matters.de/gpg_key.asc
pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam
Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC
Copyright 2004 Stefan Esser. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFAqd/zb31XLTAExLwRAriHAKDSlRBk3ZUwPOjbtXx9l8CFy9pBrACfR4Rw
QFJt/SM5/FPT67SjuPpo5B4=
=U1Iv
-----END PGP SIGNATURE-----
--
--------------------------------------------------------------------------
Stefan Esser s.esser@xxxxxxxxxxxx
e-matters Security http://security.e-matters.de/
GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69
Key fingerprint B418 B290 ACC0 C8E5 8292 8B72 D6B0 7704 CF6C AE69
--------------------------------------------------------------------------
Did I help you? Consider a gift: http://wishlist.suspekt.org/
--------------------------------------------------------------------------