1
McDonald
Xoops Local File Inclusion Vulnerabilities
  • 2006/5/22 20:49

  • McDonald

  • Home away from home

  • Posts: 1072

  • Since: 2005/8/15


Secunia Advisory: SA20176

Quote:

Release Date: 2006-05-22

Critical: Moderately critical

Impact: Exposure of sensitive information System access

Where: From remote

Solution Status: Unpatched

Software: XOOPS 2.x


Description:
rgod has reported two vulnerabilities in Xoops, which can be exploited by malicious people to disclose sensitive information and potentially compromise a vulnerable system.

Input passed to the "xoopsConfig" array parameter when the "xoopsOption[nocommon]" parameter is defined isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.

Examples:
http://[host]/misc.php?xoopsOption[nocommon]=1&xoopsConfig[language]=[file]%00
http://[host]/index.php?xoopsOption[nocommon]=1&xoopsConfig[theme_set]=[file]%00


Successful exploitation requires that "register_globals" is enabled and that "magic_quotes_gpc" is disabled.

This can further be exploited to include PHP code injected into Apache web logs or include PHP code injected into uploaded avatar images (requires that avatar upload support is enabled and knowledge of the uploaded filename).

The vulnerabilities have been reported in version 2.0.13.2. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Set "register_globals" to "Off".

Provided and/or discovered by:
rgod

Original Advisory:
http://milw0rm.com/exploits/1811


2
skalpa
Re: Xoops Local File Inclusion Vulnerabilities
  • 2006/5/22 21:00

  • skalpa

  • Quite a regular

  • Posts: 300

  • Since: 2003/4/16


A patch will be published during the night (in 6-7 hours).

In the meantime if your server is endangered, you can apply the fix manually...

- Open mainfile.php
- Add the following lines around the end, just above the "if"
foreach (array('GLOBALS''_SESSION''HTTP_SESSION_VARS''_GET''HTTP_GET_VARS''_POST''HTTP_POST_VARS''_COOKIE''HTTP_COOKIE_VARS''_REQUEST''_SERVER''HTTP_SERVER_VARS''_ENV''HTTP_ENV_VARS''_FILES''HTTP_POST_FILES''xoopsDB''xoopsUser''xoopsUserId''xoopsUserGroups''xoopsUserIsAdmin''xoopsConfig''xoopsOption''xoopsModule''xoopsModuleConfig''xoopsRequestUri') as $bad_global) {
            if (isset(
$_REQUEST[$bad_global])) {
                
header('Location: '.XOOPS_URL.'/');
                exit();
            }
        }


So it looks like:
foreach (array(
.... 
CODE ABOVE....
}
    if (!isset(
$xoopsOption['nocommon']) && XOOPS_ROOT_PATH != '') {
        include 
XOOPS_ROOT_PATH."/include/common.php";
    }


PS: If you have the protector module installed then the snippet has to be inserted before the "precheck" include (nevertheless, a site with protector is shielded against this vulnerability).

skalpa.>
Any intelligent fool can make things bigger, and more complex. It takes a touch of genius, a lot of courage, to move in the opposite direction.
Two things are infinite: the universe and human stupidity; and I'm not sure about the 1st one (A.Einstein)

3
m0nty
Re: Xoops Local File Inclusion Vulnerabilities
  • 2006/5/22 21:09

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


& if register_globals is disabled non of those exploits will compromise ur system anyway ;)

on a secondary note. can we not post security exploits on the public forum :S

4
McDonald
Re: Xoops Local File Inclusion Vulnerabilities
  • 2006/5/22 21:27

  • McDonald

  • Home away from home

  • Posts: 1072

  • Since: 2005/8/15


So, if Protector is installed, the end of mainfile.php should look like:

foreach (array('GLOBALS''_SESSION''HTTP_SESSION_VARS''_GET''HTTP_GET_VARS''_POST''HTTP_POST_VARS''_COOKIE''HTTP_COOKIE_VARS''_REQUEST''_SERVER''HTTP_SERVER_VARS''_ENV''HTTP_ENV_VARS''_FILES''HTTP_POST_FILES''xoopsDB''xoopsUser''xoopsUserId''xoopsUserGroups''xoopsUserIsAdmin''xoopsConfig''xoopsOption''xoopsModule''xoopsModuleConfig''xoopsRequestUri') as $bad_global) {
            if (isset(
$_REQUEST[$bad_global])) {
                
header('Location: '.XOOPS_URL.'/');
                exit();
            }
        }
    include( 
XOOPS_ROOT_PATH '/modules/protector/include/precheck.inc.php' ) ;
    if (!isset(
$xoopsOption['nocommon']) && XOOPS_ROOT_PATH != '') {
        require 
XOOPS_ROOT_PATH."/include/common.php";
    }
    include( 
XOOPS_ROOT_PATH '/modules/protector/include/postcheck.inc.php' ) ;


Or not?

5
m0nty
Re: Xoops Local File Inclusion Vulnerabilities
  • 2006/5/22 21:31

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


yep, that's correct Mcdonald :)

altho if protector is installed or reg globals is disabled, there's no need for the patch.. but the patch is always good to have anyway :)

6
McDonald
Re: Xoops Local File Inclusion Vulnerabilities
  • 2006/5/22 21:38

  • McDonald

  • Home away from home

  • Posts: 1072

  • Since: 2005/8/15


It's always good to have some extra protection

Login

Who's Online

290 user(s) are online (167 user(s) are browsing Support Forums)


Members: 0


Guests: 290


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits