run.php local file include vulnerability

Brought to you by: freddirkse, kessler44, optiondelete

#5 run.php local file include vulnerability

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2006-04-12

Created: 2006-04-12

Creator: Maciej Gasiorowski

Private: No

There is a possibility to include any local file due to
inproper sanitation of input arguments and permissions
in administrationsmodule/actions/run.php

Even anonymous user can directly execute this flaw by
manually creating url like this:

http://SITE_NAME/?action=run&m=VALIDMODULENAME&module=administrationmodule&a=../../../../../../../../../../etc/passwd%00

I've observed and confirmed this vuln in both 0.96.3
and 0.96.5-RC2 running on Apache 1.3 with PHP 4.4.2

To successfully exploit this vuln, the webserver user
has to have read permission to included file.

Propposed solutions:
- permission check (this module should be restricted
only to logged in users),
- stripping path with realname and checking if it's
inside DOCUMENT_ROOT

Best Regards
Gasiorowski Maciej

Discussion

Maciej Gasiorowski - 2006-04-12

run.php file patch

exponent.run.php.tgz

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Maciej Gasiorowski - 2006-04-12

Logged In: YES
user_id=1245141

Quick fix for this issue.
See attached file for detailes.

Best regards
Gasiorowski Maciej

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

jacobmesu - 2006-04-20

Logged In: YES
user_id=1231619

Fixed in cvs.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Rusty Burchfield - 2006-06-10

Logged In: YES
user_id=306972

The patch does not properly handle BASE. If BASE contains a
symlink, realpath() will expand the path to remove the
symlink. This will cause the check to always fail.

Also, if BASE does not end in a trailing slash file will
always be invalid.

Here is a better patch:
--- run_unpatched.php Sat Jun 10 18:21:43 2006
+++ run.php Sat Jun 10 18:21:28 2006
@@ -33,9 +33,18 @@

if (!defined('PATHOS')) exit('');

-$file = 'modules/' . $_REQUEST['m'] . '/actions/' .
$_REQUEST['a'] . '.php';
-if (is_readable($file)) {
- include($file);
-} else echo SITE_404_HTML;
+$realbase = realpath(BASE) .'/';
+$file = realpath($realbase .'modules/' . $_REQUEST['m'] .
'/actions/' . $_REQUEST['a'] . '.php');

+if( substr($file, 0, strlen($realbase) ) == $realbase ){
+ if (is_readable($file)) {
+ include($file);
+ }
+ else {
+ echo SITE_404_HTML;
+ }
+}
+else {
+ echo SITE_403_HTML;
+}
?>

Note that the above patch is for version 0.96.3. I do not
have an install of 0.96.5-RC2 and therfore will not submit
an untested patch for it.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Rusty Burchfield - 2006-06-11

Logged In: YES
user_id=306972

I noticed that this can be confined even further by moving
the 'modules/' string into realbase. This way if you have
stuck other stuff in the base you don't have to worry about
it, only stuff in the modules folder can be executed now.

A new patch, once again for 0.96.3, is available here:
http://www.csh.rit.edu/~gicode/projects/exponent/run.php.patch

~Rusty

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

jacobmesu - 2006-08-15

Logged In: YES
user_id=1231619

Fixed in cvs

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.