bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2
exploit-db-mirror/exploits/php/webapps/44223.txt
Offensive Security ba1d29bdd6 DB: 2018-03-03 
13 changes to exploits/shellcodes

SEGGER embOS/IP FTP Server 3.22 - Denial of Service
DualDesk 20 - 'Proxy.exe' Denial of Service

Apple iOS - '.pdf' Local Privilege Escalation / Jailbreak
Apple iOS - '.pdf' Local Privilege Escalation 'Jailbreak'

Foxit Reader 4.0 - '.pdf' Multiple Stack Based Buffer Overflow / Jailbreak
Foxit Reader 4.0 - '.pdf' Multiple Stack Based Buffer Overflow 'Jailbreak'

ASX to MP3 Converter 1.82.50 - '.asx' Local Stack Overflow
ASX to MP3 Converter 1.82.50 (Windows XP SP3) - '.asx' Local Stack Overflow

Sony Playstation 4 (PS4) 4.05 - Jailbreak (WebKit / 'namedobj ' Kernel Loader)
Sony Playstation 4 (PS4) 4.05 - 'Jailbreak' WebKit / 'namedobj ' Kernel Loader

IrfanView 4.44 Email Plugin - Buffer Overflow (SEH)

IrfanView 4.50 Email Plugin - Buffer Overflow (SEH Unicode)

Sony Playstation 3 (PS3) < 2.50 - WebKit Code Execution (PoC)
Sony Playstation 4 (PS4) < 2.50 - WebKit Code Execution (PoC)

ASX to MP3 Converter 1.82.50 (Windows 2003 x86) - '.asx' Local Stack Overflow

Apple iTouch/iPhone 1.1.1 - '.tif' Remote Privilege Escalation / Jailbreak
Apple iTouch/iPhone 1.1.1 - '.tif' Remote Privilege Escalation 'Jailbreak'

Sony Playstation 4 (PS4) 4.55 - Jailbreak (WebKit 5.01 / 'bpf' Kernel Loader 4.55)
Sony Playstation 4 (PS4) 4.55 - 'Jailbreak' WebKit 5.01 / 'bpf' Kernel Loader 4.55
TestLink Open Source Test Management < 1.9.16 - Remote Code Execution
Joomla! 3.7 - SQL Injection
Posnic Stock Management System - SQL Injection
WordPress Plugin Polls 1.2.4 - SQL Injection (PoC)

WordPress Plugin UPM-POLLS 1.0.4 - Blind SQL Injection
WordPress Plugin UPM Polls 1.0.4 - Blind SQL Injection
D-Link DIR-600M Wireless - Cross-Site Scripting
uWSGI < 2.0.17 - Directory Traversal
2018-03-03 05:01:47 +00:00

76 lines
No EOL
3.8 KiB
Text
Raw Blame History

# Exploit Title: uWSGI PHP Plugin Directory Traversal
# Date: 01-03-2018
# Exploit Author: Marios Nicolaides - RUNESEC
# Reviewers: Simon Loizides and Nicolas Markitanis - RUNESEC
# Vendor Homepage: https://uwsgi-docs.readthedocs.io
# Affected Software: uWSGI PHP Plugin before 2.0.17
# Tested on: uWSGI 2.0.12 and 2.0.15
# CVE: CVE-2018-7490
# Category: Web Application
OVERVIEW
--------
The uWSGI PHP plugin before 2.0.17 is vulnerable to Directory Traversal when used without specifying the "php-allowed-docroot" option.
The vulnerability exists due to improper validation of the file path when requesting a resource under the DOCUMENT_ROOT directory which is specified via "php-docroot".
A remote attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences ("..%2f").
This was tested on uWSGI 2.0.12 and 2.0.15. All versions before 2.0.17 are affected.
DETAILS
-------
The documentation of uWSGI states that the php-docroot option is used to jail our php environment to a project directory (http://uwsgi-docs.readthedocs.io/en/latest/PHP.html#run-php-apps-without-a-frontend-server).
; jail our php environment to project_dir
php-docroot = %(project_dir)
During testing it was observed that uWSGI was affected by a Directory Traversal vulnerability when executed as a standalone (without a front-end web server) along with the "php-docroot" option to enforce the DOCUMENT_ROOT of the web application.
uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-docroot /home/testing/webapp/
An attacker could exploit this vulnerability by using path traversal sequences ("..%2f") to access sensitive information as demonstrated below:
http://example.runesec.com:1337/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
We noticed that when a Directory Traversal attack was performed, uWSGI was issuing the following security error:
[uwsgi-fileserve] security error: /etc/passwd is not under /home/testing/webapp or a safe path
However, the contents of the requested file (i.e., /etc/passwd) were still returned to the user.
After searching the web for possible solutions, we noticed that the "php-allowed-docroot" option was previously added to uWSGI for better security and could be used to list the allowed document roots but no further details were available (http://lists.unbit.it/pipermail/uwsgi/2011-December/003180.html).
Upon further testing, we observed that when the "php-allowed-docroot" was used instead of the "php-docroot" option, it was not affected by Directory Traversal attacks.
uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-allowed-docroot /home/testing/webapp/
After a very constructive and helpful talk with the uWSGI Project, they released an update which enforces a DOCUMENT_ROOT check when using the "php-docroot" option to prevent Directory Traversal attacks. Please see the MITIGATION section for more information.
IMPACT
------
An attacker could exploit this vulnerability to gain unauthorized read access to sensitive files located outside of the web root directory.
MITIGATION
----------
It is recommended to update to uWSGI 2.0.17 - https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html
REFERENCES
----------
https://blog.runesec.com/2018/03/01/uwsgi-path-traversal/
https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7490
https://nvd.nist.gov/vuln/detail/CVE-2018-7490
https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)
TIMELINE
--------
26 June 2017 - uWSGI Project informed about the issue
26 February 2018 - uWSGI Project released a patch
1 March 2018 - Exploit publicly disclosed
Reference in a new issue View git blame Copy permalink