[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Family Connections <= 2.1.3 Multiple Remote Vulnerabilities



Family Connections <= 2.1.3 Multiple Remote Vulnerabilities

ÂName       ÂFamily Connections
ÂVendor      Âhttp://www.familycms.com
ÂVersions Affected <= 2.1.3

ÂAuthor      ÂSalvatore Fresta aka Drosophila
ÂWebsite      http://www.salvatorefresta.net
ÂContact      salvatorefresta [at] gmail [dot] com
ÂDate       Â2009-12-16

X. INDEX

ÂI. Â ÂABOUT THE APPLICATION
ÂII. Â DESCRIPTION
ÂIII. ÂANALYSIS
ÂIV. Â SAMPLE CODE
ÂV. Â ÂFIX
ÂVI. Â DISCLOSURE TIMELINE


I. ABOUT THE APPLICATION

Based on one of the world's leading structure Âand content
management systems - WebSiteAdmin, WSCreator Â(WS standing
for WebSite) is powerful application for handling multiple
websites. This is a commercial application.
Keep your family "Connected" with this content Âmanagement
system (CMS) designed specifically with family's Âin mind.
Key Âfeatures Âare: Âa message Âboard, Âa Âphoto Âgallery,
a  blog-like  "Family News"  section, Âa Âcalendar, Âan
address book and recipe sharing section.
Each family Âmember has their own Âpersonal settings, like
the ability to change the website's theme.
Now with Portuguese, Czech, English, Estonian, German, and
Spanish language Support....


II. DESCRIPTION

Many fields are not properly sanitised and some checks can
be bypassed.


III. ANALYSIS

Summary:

ÂA) Multiple Blind SQL Injection
ÂB) Multiple Arbitrary File Upload
ÂC) Local File Inclusion

A) Blind SQL Injection

All Âfield Âthat ÂI Âtested Âare Âvulnerable Âto Blind SQL
Injection.
I can't report all vulnerable files because they are many.
The most injections don't require Âthat ÂMagic Quotes GPC
(php.ini) is setted to Off.
However an attacker may try to exploit this vulnerability
using the full path disclosure released by the MySQL error
to Âwrite a Âfile Âinto the Âremote file system, Âusing as
destination Âpath Âthe Âgallery Âdirectories, Âwhere  the
permissions must be setted to 777.


B) Multiple Arbitrary File Upload

When we want to write a module to upload a Âfile, Âwe must
check Âthe file Âextension Âwithout using the Content-Type
HTTP field, Âbecause Âthis last Âone can be Âchanged. This
CMS uses the Content-Type to validate the extension.


C) Local File Inclusion

In settings.php an user can set the favorite theme to use.
This theme is included using the include_once PHP function.
The Âoriginal Âpath Âis Âthemes/ Âbut using Âthe directory
traversal sequence, an user can include arbitrary files.
There Âis a Âlimit of characters Âto use, infact the theme
field into the database has a length limit equal to 25.


IV. SAMPLE CODE

A) Multiple Blind SQL Injection

http://site/path/profile.php?member=1 AND IF(ASCII((SELECT CHAR(90)))
= 90, BENCHMARK(10000000, MD5(0x90)), NULL)

http://site/path/messageboard.php?thread=1 AND 1=1
http://site/path/messageboard.php?thread=1 AND 1=0

B) Multiple Arbitrary File Upload

A PoC that upload a PHP shell can be downloaded here:
http://www.salvatorefresta.net/files/poc/PoC-FC213.c


C) Local File Inclusion

Edit Âthe POST Âpacket and Âsend the modified Âtheme value
like the following: ../ReadMe.txt\0


V. FIX

No Fix.


VIII. DISCLOSURE TIMELINE

2009-12-16 Bug discovered
2009-12-16 Initial vendor contact
2009-12-16 Advisory Release