1
smdcom
Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability

hhttp://secunia.com/advisories/17573/

Quote:
Secunia Advisory: SA17573
Release Date: 2005-11-15

Critical:
Moderately critical
Impact: Exposure of sensitive information
Where: From remote
Solution Status: Unpatched

Software: Xoops 2.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
rgod has discovered a vulnerability in Xoops, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "xoopsConfig[language]" parameter in "class/xoopseditor/textarea/editor_registry.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.

Successful exploitation requires that "register_globals" is enabled and that "magic_quotes_gpc" is disabled.

The vulnerability has been confirmed in version 2.2.3. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Set "register_globals" to "Off".

Provided and/or discovered by:
rgod


Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

2
dickinsd
Re: Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability
  • 2005/11/15 16:14

  • dickinsd

  • Quite a regular

  • Posts: 278

  • Since: 2004/11/14


Quote:
Solution:
Edit the source code to ensure that input is properly verified.


how would you verify this?

Dave

EDIT:

Quote:
Successful exploitation requires that "register_globals" is enabled and that "magic_quotes_gpc" is disabled.


If magic_quotes_gpc is ON does this mean that someone would be unable to use this exploit?

Not sure how I could change register_globals as my sites are on hosted servers, presumably the php config is beyond my control?

3
m0nty
Re: Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability
  • 2005/11/15 16:23

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


u can set register globals off by using .htaccess

there's many threads and topics in these forums on how to do that ;)

but yes, it does mean that if magic_quotes GPC is ON then this exploit will not work :)

try

php_value allow_url_fopen off
php_flag register_globals off


and install XOOPS protector module too..

incidentally, it's been said for many years that programmers should write their code properly so that their scripts work with register globals turned off not just for security but for better programming technique. system administrators really oughta by now, disable register globals on all their servers..

4
dickinsd
Re: Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability
  • 2005/11/15 16:39

  • dickinsd

  • Quite a regular

  • Posts: 278

  • Since: 2004/11/14


Thanks for the info bud.

Will try that later.

Dave

5
Dave_L
Re: Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability
  • 2005/11/15 16:55

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Quote:
...
Solution:
Edit the source code to ensure that input is properly verified.

Set "register_globals" to "Off"
...


1) My understanding is that either of these remedies will remove the vulnerablity.

I.e., if either the source code is edited to verify the input, or if register_globals is turned off, then the vulnerability is removed.

Please correct me if I'm wrong.

2) Here's a suggested "quick fix" for the source code:

class/xoopseditor/textarea/editor_registry.php

$root_path dirname($current_path);

[
color=ff0000]// Replace unsafe characters with underscores.
$xoopsConfig['language'] = preg_replace('/[^A-Za-z0-9._.-]/''_'$xoopsConfig['language']);[/color]

if(
file_exists($root_path."/language/".$xoopsConfig['language'].".php")){

6
Rhomal
Re: Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability
  • 2005/11/15 21:31

  • Rhomal

  • Quite a regular

  • Posts: 274

  • Since: 2004/10/5


Quote:

m0nty wrote:
u can set register globals off by using .htaccess

there's many threads and topics in these forums on how to do that ;)

but yes, it does mean that if magic_quotes GPC is ON then this exploit will not work :)

try

php_value allow_url_fopen off
php_flag register_globals off


and install XOOPS protector module too..

incidentally, it's been said for many years that programmers should write their code properly so that their scripts work with register globals turned off not just for security but for better programming technique. system administrators really oughta by now, disable register globals on all their servers..


In a perfect world sure, but sadly there are MANY popular modules that require RG turned on.

Only reason I have it turned on is due to it would disable a couple of my modules.

7
Dave_L
Re: Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability
  • 2005/11/15 22:15

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


The more I think about it, the more strongly I believe that "register_globals" was a really, really bad idea for a PHP feature.

Maybe if 100% of the internet users were benevolent and never made mistakes, it would work. But obviously that isn't the case.

Rhomal, a compromise you could try is to disable register_globals "globally", and only turn it on for the specific modules, via .htaccess files in the module directories, that need it. Of course, an attacker could be targeting those modules specifically, so it might not accomplish anything.

8
Bananadude
Re: Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability
  • 2005/11/16 11:19

  • Bananadude

  • Not too shy to talk

  • Posts: 155

  • Since: 2005/9/16


I have no experience with .htaccess ..just try to follow all suggestions that sounds good from trusted sites

But if I have understood it right..
php_flag allow_url_fopen off
php_flag register_globals off

..is only required in the root of the website, correct?
--- censored by Bananadude ---

9
Dave_L
Re: Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability
  • 2005/11/16 15:04

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Bananadude, that's correct for register_globals.

For allow_url_fopen, it should also be php_flag, not php_value.

But (for PHP > 4.3.4) allow_url_fopen can only be changed in httpd.conf or php.ini. In httpd.conf, you would use php_admin_flag (I think), rather than php_flag. Usually only the server admin can modify those.

If that doesn't confuse you, let me know, and I'll try harder.

10
Bananadude
Re: Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability
  • 2005/11/16 15:12

  • Bananadude

  • Not too shy to talk

  • Posts: 155

  • Since: 2005/9/16


way too easy Dave_L, try harder to make me *confused*

Have got my server-admin du change allow_url_fopen.. kind admin, even when he screw up the server sometimes...

Quote:
Successful exploitation requires that "register_globals" is enabled and that "magic_quotes_gpc" is disabled.


Should I also make sure that magic_quotes_gpc is ON ?

Thanks for your help

[Edit:] magic_quotes_gpc set to 1
--- censored by Bananadude ---

Login

Who's Online

306 user(s) are online (173 user(s) are browsing Support Forums)


Members: 0


Guests: 306


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits