Advisory 10/2005: Yawp/YaWiki Remote URL Include Vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Advisory 10/2005: Yawp/YaWiki Remote URL Include Vulnerability
From: Stefan Esser <sesser@xxxxxxxxxxxxxxxx>
Date: Tue, 12 Jul 2005 20:26:38 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.5.8i

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-



     Advisory: Yawp/YaWiki Remote URL Include Vulnerability 
 Release Date: 2005/07/12
Last Modified: 2005/07/12
       Author: Stefan Esser [sesser@xxxxxxxxxxxxxxxx]

  Application: Yawp <= 1.0.6
     Severity: A global variable can be overwritten which leads
               to a remote URL include vulnerability under 
               some conditions
         Risk: Critical
Vendor Status: Vendor has released an updated version
   References: http://www.hardened-php.net/advisory-102005.php


Overview:

   Quote from http://phpyawp.com/yawiki/
   "Yawp is Yet Another Web Programming foundation for PHP applications. 
   It is one of the easiest "frameworks" you will ever see for PHP (even 
   though it's not really a framework). Yawp attempts to enhance your 
   own style of programming, not impose a programming method on you."
   
   A very quick glimpse on the source of Yawp showed that the default
   way to use this library is vulnerable to a remote URL inclusion
   vulnerability when running under PHP5, with register_globals and
   allow_url_fopen turned on.
   
   One of the applications that use Yawp in this unsafe way is YaWiki
   from the same author.


Details:

   When the Yawp library is started it can be called with a path to a
   config file. When this config file is omitted it defaults to a config
   file in document root. This behaviour can be overwritten by setting
   the global variable _Yawp['conf_path'].
   
   When register_globals is turned on, it is possible to set this
   variable f.e. through the URL to an arbitrary config file. There is
   a check with file_exists() and therefore it is not possible to put
   a remote URL into this for PHP4. However, with PHP5 stat() support
   was added to the FTP URL wrapper and therefore it is possible to
   exploit this on PHP5 servers by setting the variable to a config
   file lying on any FTP server.
   
   Within this config file it is possible to specify f.e. what PHP
   files should be included when the framework is started. Because 
   this include is not protected by anything it is possible to include
   any remote URL (unless your server runs our Hardening-Patch) or
   any file reachable by the webserver.
   
   
Proof of Concept:

   The Hardened-PHP Project is not going to release an exploit 
   for this vulnerability to the public.


Disclosure Timeline:

   12. July 2005 - Vendor contacted
   12. July 2005 - Vendor releases bugfixed version
   12. July 2005 - Public disclosure


Recommendation:

   We strongly recommend to upgrade to the vendor supplied
   new version 
      
      Yawp 1.1.0
      http://phpyawp.com/Yawp-1.1.0.tgz


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFC1BCiRDkUzAqGSqERApOzAJ9vtPhLO/oQWspZrVIg3+jps5Y3ZgCgkMZ9
NsWhok/j+txFCBFwvrXMx34=
=enNp
-----END PGP SIGNATURE-----

Prev by Date: Re: a new sql injection for aspjar guestbook
Next by Date: Re: Problems with the Oracle Critical Patch Update for April 2005
Previous by thread: SoftiaCom MailServer - Local Password Disclosure Vulnerability
Next by thread: MDKSA-2005:116 - Updated cpio packages fix vulnerabilities
Index(es):
- Date
- Thread