Theory – Code Execution

Details

Affected Software: BackupWordPress

Fixed in Version: 0.4.3

Issue Type:Code Execution

Original Code: Found Here

Description

This particular bug was a remote file inclusion vulnerability in a WordPress plugin known as BackupWordPress. This particular vulnerability was actually publically disclosed on Milworm by the “Xmors Underground Team” (http://www.milw0rm.com/exploits/4593). The vulnerability,combined with the register_globals behavior in older versions of PHP allowed attackers to simply provide the “$GLOBALS['bkpwp_plugin_path']” via the URL in a GET request,supplying an attacker controlled location for the include.

The developers fixed this particular vulnerability by removing the $GLOBALS from the source.

Developers Solution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<?php

-require_once $GLOBALS['bkpwp_plugin_path']."Archive/Predicate.php";
+require_once BKPWP_PLUGIN_PATH."Archive/Predicate.php";
require_once "MIME/Type.php";


class File_Archive_Predicate_MIME extends File_Archive_Predicate
{
    var $mimes;

   
    function File_Archive_Predicate_MIME($mimes)
    {
        if (is_string($mimes)) {
            $this->mimes = explode(",",$mimes);
        } else {
            $this->mimes = $mimes;
        }
    }
   
    function isTrue(&$source)
    {
        $sourceMIME = $source->getMIME();
        foreach ($this->mimes as $mime) {
            if (MIME_Type::isWildcard($mime)) {
                $result = MIME_Type::wildcardMatch($mime,$sourceMIME);
            } else {
                $result = ($mime == $sourceMIME);
            }
            if ($result !== false) {
                return $result;
            }
        }
        return false;
    }
}

?>
May 7th,2010 | Tags:,,,,,, | Category:File Inclusion,PHP,Solution,Wordpress | One comment

Madman - File IncludeMadman –File Include

Details

Affected Software:Joomla

Fixed in Version:Directory Revision 10041

Issue Type:File Include Vulnerability

Original Code:Found Here

Description

This particular vulnerability affected Joomla.  The vulnerable code had symptoms which could allow for a file inclusion vulnerability (under certain circumstances).  PHP based applications are especially vulnerable to remote file due to extensive use of file includes and common PHP server configurations.

File include vulnerabilities give the attacker the ability to execute arbitrary commands on the web server,resulting in the complete compromise of the Joomla installation.  The PHP include(),require(),include_once() and require_once() functions are great candidates for remote file include attacks and in this case we see that the Joomla code base makes use of require_once() function.

Although the Joomla developers checked in a code change which changed the require_once() function to a require(),the real fix will be a configuration change for the PHP server (turning register_globals off).  What’s a bit surprising is the Joomla checked in a code change which was designed to prevent a file include vulnerability but changed the require_once() function to a require() function.  Typically,file inclusion vulnerabilities are fixed by changing a require() function call to an require_once() function call and explicitly loading the required library before the attacker has a chance to influence the file inclusion.  Once again,the authors of this blog are not responsible for the code fixes checked into the software branch :)

It is also interesting that we see a call to the include() function,which remained unchanged:

include ($mosConfig_absolute_path .’/offline.php’);

Developers Solution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
// Set flag that this is a parent file
define( '_VALID_MOS',1 );

if (!file_exists( '../configuration.php' )) {
header( 'Location:../installation/index.php' );
exit();
}

require( '../globals.php' );
-require_once( '../configuration.php' );
+require( '../configuration.php' );

// SSL check - $http_host returns <live site url>:<port number if it is 443>
$http_host = explode(':',$_SERVER['HTTP_HOST'] );
if( (!empty( $_SERVER['HTTPS'] ) &&strtolower( $_SERVER['HTTPS'] ) != 'off' || isset( $http_host[1] ) &&$http_host[1] == 443) &&substr( $mosConfig_live_site,0,8 ) != 'https://' ) {
$mosConfig_live_site = 'https://'.substr( $mosConfig_live_site,7 );
}

require_once( '../includes/joomla.php' );
include_once ( $mosConfig_absolute_path . '/language/'. $mosConfig_lang .'.php' );

//Installation sub folder check,removed for work with SVN
if (file_exists( '../installation/index.php' ) &&$_VERSION->SVN == 0) {
define( '_INSTALL_CHECK',1 );
include ($mosConfig_absolute_path .'/offline.php');
exit();
}

$option = strtolower( strval( mosGetParam( $_REQUEST,'option',NULL ) ) );
December 25th,2009 | Category:File Inclusion,Solution | Leave a comment