CVE Number: N/A (not assigned) Title: CakePHP AssetDispatcher Local File Inclusion Vulnerability Affected Software: Confirmed on CakePHP v2.3.7, v2.2.8 (prior versions may also be affected) Credit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc. Issue Status: v2.3.8 & 2.2.9 was released which fixes this vulnerability Overview: CakePHP is an open-source web application framework for PHP. CakePHP (v2.3.7, 2.2.8 and possibly prior versions) is vulnerable to LFI (Local File Inclusion) attack. Remote attacker can abuse this vulnerability to steal files on the server or execute PHP commands, if the target application has one or more themes or plugins. It is caused by insufficient input validation in AssetDispatcher class. Details: CakePHP's AssetDispatcher class serves asset resources (such as image files) stored under individual theme or plugin directory. This class determines requested resource's path based on PATH_INFO of request URI. To prevent attacks, this class validates PATH_INFO and stops loading requested resource if PATH_INFO contains ".." sequence. But after the validation step, PATH_INFO will be urldecoded in _getAssetFile(). This allows attackers to bypass ".." check by urlencoded dot chars (%2e). I present two examples of attack URI. In both examples, Cake serves the content of /etc/passwd in HTTP response body. UR1: http://victim-host/cakephp-2.3.7/theme/Test1/%2e.//%2e.//%2e.//%2e. //%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e./etc/passwd Successful attack requires one or more themes on the target server. In the example above, the target application must have "Test1" theme. This restriction is due to file_exists() check in beforeDispatch(). URL2: http://victim-host/cakephp-2.3.7/DebugKit/%2e.//%2e.//%2e.//%2e.// %2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e./etc/passwd Second example is almost same as first one. The difference is that second one requires one or more Cake plugins with webroot directory. The plugins must be actually enabled on the target server. The requested resource is served via include statement, so that PHP code execution by LFI is possible if the target Cake application allows uploading files such as image, text and so on. Timeline: 2013/07/16 Reported to CakePHP Security ML 2013/07/18 Vender announced v2.3.8 & 2.2.9 2013/08/13 Disclosure of this advisory Recommendation: Upgrade to the latest version. Reference: http://bakery.cakephp.org/articles/markstory/2013/07/18/cakephp_2_3_8_2_2_9_released