Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Mambo Site Server Remote Code Execution

Mambo Site Server Remote Code Execution

by Nikola Strahija on January 12th, 2003 A couple of vulnerabilies have been discovered including XSS and Remote Code Execution on the server with server permissions.


Homepage : http://www.mamboserver.com
Vendor : informed
Mailed advisory: 09/01/03
Vender Response : None yet


- ----------------------
Affected Versions:
- ----------------------

4.0.12 BETA and Prior


- ----------------------
Description:
- ----------------------

Mambo Site Server is a website portal tool written in php. A couple of vulnerabilies have been
discovered including XSS and Remote Code Execution on the server with server permissions.
A couple of includes and upload codes do not check for admin access or any type of restriction
and allow attackers to run arbitrary code without permission.

- ----------------------
Vulnerability:
- ----------------------

1. XSS exist in the following files and possibly in a couple more.

administrator/popups/sectionswindow.php (type=web&link="

administrator/gallery/gallery.php (directory=")

administrator/gallery/navigation.php (directory=")

administrator/gallery/uploadimage.php (directory=")

administrator/gallery/view.php (path=")

administrator/upload.php (newbanner=1&choice=")

themes/mambosimple.php (detection=detected&sitename=)

upload.php (type=")

emailfriend/emailarticle.php (id=")

emailfriend/emailfaq.php (id=")

emailfriend/emailnews.php (id=")



2. Remote Arbitrary Code Execution is found in the gallery image uploader under administrator directory.

administrator/gallery/uploadimage.php

(these are also exploitable: upload.php and administrator/upload.php)

Apperantly, this file allows any remote and local users to upload 'images' to the server
without checking for any permissions. By tricking the badly written file extension security
check, an attacker can upload any type of arbitrary files to the server.


- ----------------------
Exploit:
- ----------------------

The following code can be found inside uploadimage.php file.


**********************************************************************


..

if (isset($fileupload)){
if ($directory!="uploadfiles"){
$base_Dir = "../../images/stories/";
}else{
$base_Dir = "../../uploadfiles/$Itemid/";
}

$filename = split(".", $userfile_name);
if (eregi("[^0-9a-zA-Z_]", $filename[0])){
print "n";
exit();
}

if (file_exists($base_Dir.$userfile_name)){
print "n";
exit();
}

if ((!eregi(".gif", $userfile_name)) && (!eregi(".png", $userfile_name)) && (!eregi(".jpg", $userfile_name)) && (!eregi(".doc", $userfile_name))&& (!eregi(".xls", $userfile_name))&& (!eregi(".swf", $userfile_name)) && (!eregi(".pdf", $userfile_name))){
print "n";
exit();
}

if ((eregi(".pdf", $userfile_name)) || (eregi(".doc", $userfile_name)) || (eregi(".xls", $userfile_name))){
if (!copy($userfile, $pdf_path.$userfile_name)){
echo "Failed to copy $userfile_name";
}
}
elseif (!copy($userfile, $base_Dir.$userfile_name)){
echo "Failed to copy $userfile_name";
}

if (eregi(".jpg", $userfile_name)){
print "n";
}
elseif (eregi(".pdf", $userfile_name)){
print "n";
}
if (eregi(".png", $userfile_name)){
print "n";
}
else {
print "n";
}
}

..


**********************************************************************


First of all

- ---=---
if (isset($fileupload)){
if ($directory!="uploadfiles"){
$base_Dir = "../../images/stories/";
}else{
$base_Dir = "../../uploadfiles/$Itemid/";
}
- ---=---

Just sets the directory in which the files will be uploaded to.
We can leave both $directory and $fileupload emtpy.

Now lets examine the 'security check' that is included in this code:

- ---=---
if ((!eregi(".gif", $userfile_name)) && (!eregi(".png", $userfile_name)) && (!eregi(".jpg", $userfile_name)) && (!eregi(".doc", $userfile_name))&& (!eregi(".xls", $userfile_name))&& (!eregi(".swf", $userfile_name)) && (!eregi(".pdf", $userfile_name))){
- ---=---

As you can or cannot see, the function eregi() only checks if the '.ext' are located inside the string $userfile_name, but
does not check if they end with that extention.
The attacker can just rename his file to r00t.jpg.php and upload without any warnings.

After uploading the arbitrary file successfully, the attacker just needs to activate his code by
calling /images/stories/r00t.jpg.php and he's got remote access to the server with server permissions.


- ----------------------
Solution:
- ----------------------

Please check the vendor's website for new patches.

Meanwhile you should remove the following files from your server:

upload.php
administrator/upload.php
administrator/gallery/uploadimage.php

- ----------------------
Greetz:
- ----------------------

Cyon, daemorhedron, Tt, Truckle, ps.

<------- ------->

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlsEARECABsFAj4gAHAUHG1pbmR3YXJwZXJAaHVzaC5jb20ACgkQAsMgi84kQcTvXgCd
EII2uHQOs8cFvU157lx7nqpfLkUAn3UiaahYXzfjuliuZuz43ay/PcZ7
=aemt
-----END PGP SIGNATURE-----


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »