CVE Number: N/A (not assigned)
Title: CakePHP AssetDispatcher Local File Inclusion Vulnerability
Affected Software: Confirmed on CakePHP v2.3.7, v2.2.8
(prior versions may also be affected)
Credit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
Issue Status: v2.3.8 & 2.2.9 was released which fixes this vulnerability
Overview:
CakePHP is an open-source web application framework for PHP.
CakePHP (v2.3.7, 2.2.8 and possibly prior versions) is vulnerable to
LFI (Local File Inclusion) attack. Remote attacker can abuse this
vulnerability to steal files on the server or execute PHP commands,
if the target application has one or more themes or plugins. It is
caused by insufficient input validation in AssetDispatcher class.
Details:
CakePHP's AssetDispatcher class serves asset resources (such as image
files) stored under individual theme or plugin directory. This class
determines requested resource's path based on PATH_INFO of request URI.
To prevent attacks, this class validates PATH_INFO and stops loading
requested resource if PATH_INFO contains ".." sequence. But after the
validation step, PATH_INFO will be urldecoded in _getAssetFile(). This
allows attackers to bypass ".." check by urlencoded dot chars (%2e).
I present two examples of attack URI. In both examples, Cake serves the
content of /etc/passwd in HTTP response body.
UR1: http://victim-host/cakephp-2.3.7/theme/Test1/%2e.//%2e.//%2e.//%2e.
//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e./etc/passwd
Successful attack requires one or more themes on the target server.
In the example above, the target application must have "Test1" theme.
This restriction is due to file_exists() check in beforeDispatch().
URL2: http://victim-host/cakephp-2.3.7/DebugKit/%2e.//%2e.//%2e.//%2e.//
%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e./etc/passwd
Second example is almost same as first one. The difference is that
second one requires one or more Cake plugins with webroot directory.
The plugins must be actually enabled on the target server.
The requested resource is served via include statement, so that PHP
code execution by LFI is possible if the target Cake application
allows uploading files such as image, text and so on.
Timeline:
2013/07/16 Reported to CakePHP Security ML
2013/07/18 Vender announced v2.3.8 & 2.2.9
2013/08/13 Disclosure of this advisory
Recommendation:
Upgrade to the latest version.
Reference:
http://bakery.cakephp.org/articles/markstory/2013/07/18/cakephp_2_3_8_2_2_9_released