#230 FILE DELETION (+CSRF)

closed-fixed
nabber00
Security (24)
7
2010-09-15
2010-08-15
nabber00
No

There is a CSRF vulnerability which can lead to file
deletion. Let's see the code of "trackback_delete_cgi.php":

22| if ( array_key_exists( 'trackback', $_GET ) ) {
23| $ok = delete_trackback( $_GET[ 'trackback' ] );
24| }

So if the variable "trackback" is set with the GET method,
the delete_trackback() function is called. The code of
this function is situated in "sb_trackback.php":

229| function delete_trackback ( $entryFile ) {
230| // Delete the old file
231| if ( file_exists( $entryFile ) ) {
232| $ok = sb_delete_file( $entryFile );
233| }

If the file exists, the function sb_delete_file() is called,
with the parameter $_GET['trackback']. The source code
of this function is situated in the file "sb_fileio.php":

171| function sb_delete_file ( $filename ) {
|
175| clearstatcache();
176| if ( file_exists( $filename ) ) {
177| $result = @unlink( $filename );
178| }

There is no verification before deleting the file. So we
can delete any files on the server. The HTTP packet sent
by the attacker will look's like this:

GET /trackback_delete_cgi.php?trackback=<FILE> HTTP/1.1\r\n
Host: localhost\r\n
Connection: keep-alive\r\n\r\n

Admin right's are needed to delete files, but because
it's also a CRLF vulnerability, we can use it in our XSS,
then so admin right's aren't needed for the attacker.

Source: http://archive.cert.uni-stuttgart.de/bugtraq/2007/10/msg00314.html

Discussion

  • nabber00

    nabber00 - 2010-09-15

    Fixed in svn r82. delete_trackback will only allow deletion of .txt files in the content dir.

     
  • nabber00

    nabber00 - 2010-09-15
    • status: open --> closed-fixed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks