-------------------------------------------------------------------- Dolphin <= 7.0.7 (member_menu_queries.php) Remote PHP Code Injection -------------------------------------------------------------------- author...............: EgiX mail.................: n0b0d13s[at]gmail[dot]com software link........: http://www.boonex.com/dolphin affected versions....: from 7.0.0 to 7.0.7 [-] vulnerable code in /member_menu_queries.php 61. case 'get_bubbles_values' : 62. $sBubbles = ( isset($_GET['bubbles']) ) ? $_GET['bubbles'] : null; 63. if ( $sBubbles && $iMemberId ) { 64. 65. $aMemberInfo = getProfileInfo($iMemberId); 66. if($aMemberInfo['UserStatus'] != 'offline') { 67. // update the date of last navigate; 68. update_date_lastnav($iMemberId); 69. } 70. 71. $aBubbles = array(); 72. $aBubblesItems = explode(',', $sBubbles); 73. 74. if ( $aBubblesItems && is_array($aBubblesItems) ) { 75. $bClearCache = false; 76. foreach( $aBubblesItems as $sValue) 77. { 78. $aItem = explode(':', $sValue); 79. 80. $sBubbleCode = null; 81. foreach($aMenuStructure as $sKey => $aItems) 82. { 83. foreach($aItems as $iKey => $aSubItems) 84. { 85. if( $aSubItems['Name'] == $aItem[0]) { 86. $sBubbleCode = $aSubItems['Bubble']; 87. break; 88. } 89. } 90. 91. if ($sBubbleCode) { 92. break; 93. } 94. } 95. 96. if ($sBubbleCode) { 97. $sCode = str_replace('{iOldCount}', $aItem[1], $sBubbleCode); 98. $sCode = str_replace('{ID}', $iMemberId, $sCode); 99. 100. eval($sCode); When handling 'get_bubbles_values' action, input passed through $_GET['bubbles'] isn't properly sanitized before being used in a call to eval() at line 100, this can be exploited to inject arbitrary PHP code. Successful exploitation of this vulnerability requires authentication, but is always possible to create a new account also if 'REGISTRATION BY INVITATION ONLY' is enabled, in this case an attacker could bypass the restriction visiting first /index.php?idFriend=1 and after point to /join.php for a new registration. [-] Disclosure timeline: [25/09/2011] - Vulnerability discovered [26/09/2011] - Issue reported to http://www.boonex.com/forums/topic/PHP-Code-Injection.htm [26/09/2011] - A moderator hide the topic [29/09/2011] - Vendor contacted again through http://www.boonex.com/help/contact [04/10/2011] - Vendor replied that there is a designated place for this kind of report: "Dolphin Bug Reports" forum [04/10/2011] - I replied that I've already posted in this forum, but the topic has been hidden [05/10/2011] - Vendor reply: "It may has been hidden because it WASN'T posted in the proper place" [05/10/2011] - My reply: "It has been hidden for security reason, the moderator told me to report the issue through http://www.boonex.com/help/contact"; [08/10/2011] - Vendor replied that a patch will be released as soon as possible [13/10/2011] - Vendor update released: http://www.boonex.com/n/dolphin-7-0-8-beta-1 [18/10/2011] - Public disclosure [-] Prroof of concept: http://www.exploit-db.com/exploits/17994/
