Re: Re: Xaraya <= 1.0.0 RC4 D.O.S / file corruption

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Re: Xaraya <= 1.0.0 RC4 D.O.S / file corruption
From: retrogod@xxxxxxxxxxxxxxxxx, at@xxxxxxxxxxxxxxxxx, aliceposta@xxxxxxxxxxxxxxxxx, it@xxxxxxxxxxxxxxxxx
Date: 30 Nov 2005 20:16:24 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

it's not an inclusion bug, it is an fopen()/file corruption bug, this is the 
vulnerable code in xarMLSXML2PHPBackend.php:
...
   function create($ctxType, $ctxName)
    {
        assert('!empty($this->baseDir)');
        assert('!empty($this->baseXMLDir)');
        $this->fileName = $this->baseDir;
        $this->xmlFileName = $this->baseXMLDir;

        if (!ereg("^[a-z]+:$", $ctxType)) {
            list($prefix,$directory) = explode(':',$ctxType);
            if ($directory != "") {
                $this->fileName .= $directory . "/";
                $this->xmlFileName .= $directory . "/";
            }
        }

        $dirForMkDir = $this->fileName;
        if (!file_exists($dirForMkDir)) xarMLS__mkdirr($dirForMkDir, 0777);

        $this->fileName .= $ctxName . ".php";
        $this->xmlFileName .= $ctxName . ".xml";

        $xmlFileExists = false;
        if (file_exists($this->xmlFileName)) {
            if (!($fp1 = fopen($this->xmlFileName, "r"))) {
                xarLogMessage("Could not open XML input: ".$this->xmlFileName);
            }
            $data = fread($fp1, filesize($this->xmlFileName));
            fclose($fp1);
            $xml_parser = xml_parser_create();
            xml_parse_into_struct($xml_parser, $data, $vals, $index);
            xml_parser_free($xml_parser);
            $xmlFileExists = true;
        } else {
            xarLogMessage("MLS Could not find XML input: ".$this->xmlFileName);
        }

        $fp2 = @fopen ($this->fileName, "w" );
        if ($fp2 !== false) {
            fputs($fp2, '<?php'."\n");
            fputs($fp2, 'global $xarML_PHPBackend_entries;'."\n");
            fputs($fp2, 'global $xarML_PHPBackend_keyEntries;'."\n");
            if ($xmlFileExists) {
                foreach ($vals as $node) {
                    if (!array_key_exists('tag',$node)) continue;
                    if (!array_key_exists('value',$node)) $node['value'] = '';
                    if ($node['tag'] == 'STRING') {
                        $node['value'] = str_replace('\'', '\\\'', 
$node['value']);
                        $start = 
'$xarML_PHPBackend_entries[\''.$node['value']."']";
                    } elseif ($node['tag'] == 'KEY') {
                        $node['value'] = str_replace('\'', '\\\'', 
$node['value']);
                        $start = 
'$xarML_PHPBackend_keyEntries[\''.$node['value']."']";
                    } elseif ($node['tag'] == 'TRANSLATION') {
                        if ($this->outCharset != 'utf-8') {
                            $node['value'] = 
$GLOBALS['xarMLS_newEncoding']->convert($node['value'], 'utf-8', 
$this->outCharset, 0);
                        }
                        $node['value'] = str_replace('\'', '\\\'', 
$node['value']);
                        if (!empty($node['value'])) {
                            fputs($fp2, $start . " = '".$node['value']."';\n");
                        }
                    }
                 }
            }
            fputs($fp2, "?>");
            fclose($fp2);
        } else {
            xarLogMessage("Could not create file: ".$this->fileName);
            global $xarML_PHPBackend_entries;
            global $xarML_PHPBackend_keyEntries;
            if ($xmlFileExists) {
                foreach ($vals as $node) {
                    if (!array_key_exists('tag',$node)) continue;
                    if (!array_key_exists('value',$node)) $node['value'] = '';
                    if ($node['tag'] == 'STRING') {
                        $node['value'] = str_replace('\'', '\\\'', 
$node['value']);
                        $entryIndex = $node['value'];
                        $entryType = 'string';
                    } elseif ($node['tag'] == 'KEY') {
                        $node['value'] = str_replace('\'', '\\\'', 
$node['value']);
                        $entryIndex = $node['value'];
                        $entryType = 'key';
                    } elseif ($node['tag'] == 'TRANSLATION') {
                        if ($this->outCharset != 'utf-8') {
                            $node['value'] = 
$GLOBALS['xarMLS_newEncoding']->convert($node['value'], 'utf-8', 
$this->outCharset, 0);
                        }
                        $node['value'] = str_replace('\'', '\\\'', 
$node['value']);
                        if ($entryType == 'string') {
                            $xarML_PHPBackend_entries[$entryIndex] = 
$node['value'];
                        } elseif ($entryType == 'key') {
                            $xarML_PHPBackend_keyEntries[$entryIndex] = 
$node['value'];
                        }
                    }
                 }
            }
        }

        return true;
    }
}
?>

however, this is  my proof of cocept exploit:

http://www.milw0rm.com/id.php?id=1345

Prev by Date: MDKSA-2005:217 - Updated netpbm packages fix pnmtopng vulnerabilities
Next by Date: MDKSA-2005:220 - Updated kernel packages fix numerous vulnerabilities
Previous by thread: Re: Xaraya <= 1.0.0 RC4 D.O.S / file corruption
Next by thread: ASP-Rider Default.asp SQL Injection
Index(es):
- Date
- Thread