This month, bug diggers do not want to spoil us with new high-profile exploits in popular applications. Of course, a lot of advisories have been published in products of well-known companies, but very few of them contain readable PoC codes. In our review, I tried to collect the most significant and complete vulnerabilities described recently, so sit back and enjoy reading.
PHP vulnerability when processing HTTP Head requests BriefOn March 3, a certain Adam Ivanyuk discovered an interesting feature in the PHP interpreter, which does not process HEAD requests quite correctly. The researcher called this vulnerability “HTTP HEAD method trick in php scripts.”
Many coders design their PHP scripts hoping that all the instructions written in them will execute successfully without breaking somewhere in the middle (especially in short scripts). This is what happens if the script is requested by the end user using the GET, POST, PUT methods.
But you should know that there are other HTTP methods - for example, HEAD. It is precisely when processing this method in PHP that a security hole may arise.
Let's look at one of the interpreter sources: ./main/SAPI.c, line 315:
if (SG(request_info).request_method &&
!strcmp(SG(request_info).request_method, "HEAD"))
{
SG(request_info).headers_only = 1;
...
When any data arrives, the php_ub_body_write function is executed. Next, look at main/output.c, line 699:
if (SG(request_info).headers_only) (
if(SG(headers_sent))
{
return 0;
}
php_header(TSRMLS_C);
zend_bailout();
}
Here you can see that the first time it is printed to the screen and when using the HEAD method, the zend_bailout function breaks the script.
ExploitNow let's access this script using the HEAD method:
As you would expect, our guest book will stop its execution at the line “echo $data;”, so the book.txt file will simply be reset to zero.
This example is rather destructive in nature. In the second example, we can bypass authorization in the primitive admin panel:
In this script, when logging in using the usual methods, an administrative variable is set in the session. Then, if the user enters an incorrect password, this variable is reset and the user does not become an admin.
If we access the admin panel via HEAD, its execution will be interrupted at the piece of code with “echo”, so the administrative variable will not be reset, and we can safely wander around the closed part of the application. The thing to keep in mind here is that most web servers have the output buffering value set to 4096 bytes, so in a working example we might need the string ‘A long string contains about 4090 characters’.
Exploit- PHP
Here the $check array contains our POST data, and the $locked variable is a serialized string obfuscated using the str_rot13() function, which is completely under our control.
At this point it’s worth making a small digression for those who have not read the corresponding articles in ][, and briefly talk about the bug that manifests itself in the magic methods of PHP. So, in PHP version 5, the basic concept of OOP programming appeared: constructor and destructor. A constructor is implemented using the "__construct" method and a destructor is implemented using the "__destruct" method. Upon completion of its work and when called through the unserialize() function, each object executes its own __ destruct method, if it is written in the code.
Now let's go back to our framework and look at the App class destructor from the file ./libs/configure.php:
function __destruct()
{
if ($this->__cache)
{
$core = App::core("cake");
unset($this->__paths);
Cache::write("dir_map", array_fi lter($this->__paths),
"cake_core");
Cache::write("fi le_map", array_fi lter($this->__map),
"cake_core");
Cache::write("object_map", $this->__objects,
"cake_core");
}
}From the code above, you can see that this method can be compromised by writing arbitrary values to the Cache object. The most interesting key to crack is 'file_map'. It manages the connections between classes and the corresponding PHP files, and is also used to load additional classes during script execution.
The actual code for loading classes is a little more complex, but it all boils down to the following code from the __load method inside the App class:
Bingo! By substituting the $file variable, we can include our own PHP code! Moreover, this will be a real Remote File Inclusion bug - thus, we will not need any additional tricks for uploading local files to the server. However, the author of the found vulnerability offers an LFI option for exploiting this hole, because CakePHP uses a file-based local cache, which is located in serialized form in a directory known to the attacker.
ExploitAs a small PoC for generating a poisonous serialized string, felix offers the following code:
Of course, you must first include the necessary classes from CakePHP. There is also a fully functional Python exploit, which you can find at malloc.im/burnedcake.py.
This exploit should work in every application built on CakePHP, using POST forms with security tokens, and in which the standard location of the cache files has not been changed. By default, the exploit displays the database config; other useful features can be easily added by changing the built-in PHP payload.
Targets- CakePHP getState("fi lter_order_dir");
$fi lter_order = JFilterInput::clean($fi lter_order, "cmd");
$fi lter_order_dir =
JFilterInput::clean($fi lter_order_dir, "word");
// We need to get a list of all
// weblinks in the given category
$query = "SELECT *" .
"FROM #__weblinks" .
"WHERE catid = ". (int) $this->_id.
"AND published = 1" .
"AND archived = 0".
"ORDER BY". $fi lter_order "".
$fi lter_order_dir .", ordering";
return $query;
}Here you can see that the $filter_order and $filter_order_dir variables are not checked for strict compliance with SQL statements; the check is only done by using the standard clean method from the JFilterInput class:
Again, this is a very simple class with one display method. Most of the logic here is specific to the link component, but if you look closely you can find functionality used in most component view classes. At the end of the display method, this class calls the parent (JView) display method, passing the name of the template to display. If the name of the display template is not passed, the "default" template is used.
Template Class
And lastly, we open the template class.Let's agree that a specific template name was not passed, so the default template will be used. In this case, the following file will be considered: .../components/com_weblinks/views/categories/tmpl/default.php
-> escape ($this -> params -> get ("page_title" ) ) ; ?>- ( )
Much of the logic here is specific to the component being executed. You can also see from the code that this file contains all HTML mixed with PHP - these are its features and purpose.
Other files used in componentsSeveral of the other file types you might find in components:
- Helpers - components often use a helper.php file or a helpers directory with many files. These files typically contain only the general functionality for the component.
- Assets appears to be a catch-all folder for other files included in the component.
- router.php - this file is used, when the SEF URL setting is enabled, to translate the URL in both directions (into a human-readable one with aliases and into the Joomla system view with parameters).
- xml files - they usually define parameters and other information about the component, and its overview. They are used, for example, when creating component menu items.
- index.html - It's a good practice to have an empty index.html file in all your directories. This is such a passive security measure.
- css/images/js - Folders that contain various files to implement the design and functionality on the client side (in the browser).
There is a suggestion in the file /includes/joomla.php in the cleanText function to replace the line
$text = strip_tags($text); $text = strip_tags ( $text , "" ) ;
This hack is intended only for pictures that are inserted as normal images. For images inserted by a mambot (mosimage), this hack will not work.
How to make a direct link appear in the com_weblinks componentIn weblinks.html.php you need to replace the line:
$link = sefRelToAbs( "index.php?option=com_weblinks&task=view&catid=" . $catid ."&id=" . $row ->id ) ; $link = $row ->url ; How to make Joomla work on two hosts (domains) at the same time. Those. for example, on the local network at 10.0.0.15 and from the Internet site-firmy.ru. Despite the fact that both addresses are assigned to the same machine.Firstly, the whole point of the problem is that Joomla displays all images and CSS files (their paths in the template) relative to its $mosConfig_live_site variable - the base address of the site entered during installation. And if someone tries to access it with a different address, then nothing in the logic of its operation changes - the base address is taken from the configuration file. For example, if the configuration states that Joomla is located on localhost, then accessing from the local network, even to a correctly configured Apache listening to the address 192.168.0.1, will not change anything in it - the src of the images will still begin with “localhost”, which for other machines will already have its own localhost. The focus of solutions for such cases is to replace the $mosConfig_live_site variable for the requested host, so that all functions can issue the correct links and already lead the user to either one or another virtual site (give the correct basic paths to pictures and basic paths to addresses). There is an Auto live site mambot that can automate this. If it does not suit you in some way, then in principle it can be repeated, for this in configuration.php in place of the $mosConfig_live_site definition you need to write your code Something like:
if ($_SERVER [ "HTTP_HOST" ] =="host1.ru" ) $mosConfig_live_site = "host1.ru" ; else $mosConfig_live_site = "host2.ru" ;It is necessary to pay attention that if you use a cache, you must also have two different caching directories for two hosts, because links to different hosts may intersect in the cache, and then a user from the wrong network will not get anywhere at all. The $mosConfig_cachepath variable is responsible for the cache.
How to make two components appear simultaneously on one pageI’ll tell you right away - not everything is so simple. It's not a module, after all. Therefore, firstly, it is worth looking for an alternative, i.e. Surely a popular component comes with modules that can replicate its functionality. If there is nothing like that then this is an option. It can be made as a module, or, in theory, it can be inserted into a template. The idea is this - calling the component via index2.php (what and why - read the entire fact). Those. you can make an iframe with src="index2.php?option=com_component&no_html=1" at the desired insertion point for the second component. And it will be displayed there. Another thing is that it is unlikely that it will be possible to fully ensure functionality. But nevertheless, this is a way out.
Or use the construction: mosLoadComponent("com_mycomp" ) ;
But, if the component is executed in this way, then you need to understand that it does not know about your manipulations and will work according to its $option and $task.
How to increase the length of the title in an articleYou need to run the following two commands in phpMyAdmin (there is a special page for executing SQL queries), just replace ###_ with your real table prefix. The maximum possible number is 255. In the example, 200 is used.
ALTER TABLE `###_content` CHANGE `title_alias` `title_alias` VARCHAR(200) NOT NULL; ALTER TABLE `###_content` CHANGE `title` `title` VARCHAR(200) NOT NULL;
How to include full news texts in your RSS feed, not just their headlinesTo do this, in the file /components/com_rss/rss.php, you need to replace
$item_description = $row ->introtext ; $item_description = $row ->fulltext ; How can I make two Joomla sites using the same database or using the same files?As for using one database, you need to write one database in configuration.php for two engines, but you need to understand what you are doing. Because maintaining sessions for users in this case will be very problematic, because the domains are different. Those. login entries in the #__sessions table will (may) overlap.
If you want to use the same files without copying a large distribution, then in principle you can use the “ln -s” command in Linux to create symbolic links to existing files and not copy them for the new site.
How to create a virtual page accessible at a specific address in the general Joomla design (http:/ /site.ru/super_page)- The first way is to use some kind of SEF component, in which you specify the desired virtual path for a static page. There is a minus here - this component will begin to remake all other links (and in general these components are very power-hungry and require a lot of resources to work).
- Create an alias for such a page using mod_rewrite and .htaccess. To do this you need:
- Create a static page with the text you need, find out its ID and address (it is not necessary to create such a page, it may already exist and in general it is just any component, not necessarily com_content)
- Come up with an alias, let it be "super_puper"
- Open .htaccess and before the line "RewriteCond %(REQUEST_FILENAME) !-f" write:
- And now, provided that Joomla is located at site.ru, when you open the link http:/ /site.ru/super_puper the required static page with your information will open. The link itself "index.php?option=com_content&task=view&id=12" can be whatever you need, the main thing is that the link is not absolute (i.e. with http:/ /...) but relative (must start with index .php?...)
This may be necessary if you use the rd_addphp mambot to insert any scripts that should generate random numbers or random text every time, regardless of the Joomla caching system. To disable caching of a certain item, you need to find out its ID (in the admin panel, when editing, look at the address bar, it will say something like "...&id=123..."). So 123 will be our article ID. It is necessary to replace in the file /components/com_content/content.php approximately on line 1600
$cache ->call ( "HTML_content::show" , $row , $params , $access , $page ) ; if ($row ->id !="123" ) $cache ->call ( "HTML_content::show" , $row , $params , $access , $page ) ; else HTML_content::show ($row, $params, $access, $page) ;Where 123 is the article ID you need.
I installed a lot of components, but the list of components in the admin menu shows a reduced number of them, and then it says “More components...”. How to display all components.You need a line in the file /administrator/modules/mod_fullmenu.php
$topLevelLimit = 19 ;replaced by
$topLevelLimit = 199 ; How to install a copy of a componentIt must be said that the task is extremely difficult. If you don't understand how the component works, then you shouldn't even try. For those who still want to note the main points:
- In the XML file, rename the component name in the name tag
- Next, you need to rename the tables used (firstly in the XML file, and secondly in all component files, wherever the $database database object and the setQuery method are used)
- Rename all paths in components too. Paths can be used in references to itself or in the names of included files. Most often this comes down to searching for the substring com_componentname and replacing it with a new one.
But this method does not guarantee anything. With simple ones, this is possible and will pass, but with complex ones, no one can guarantee.
How to make one position randomly show one of the modules assigned to it- Option 1 - hack the mosLoadModules function. In the template, in the place where it is necessary to display one of N modules, we write (pay attention to the third argument):
And we slightly correct the above function itself:
function mosLoadModules( $position ="left" , $style =0 , $show_random = false ) ( ... $allModules =& initModules() ; if (isset ( $GLOBALS [ "_MOS_MODULES" ] [ $position ] ) ) ( $modules = $GLOBALS [ "_MOS_MODULES" ] [ $position ] ; ) else ( $modules = array () ; ) //add here if ($show_random && sizeof ($modules ) >0 ) ( $tmp = $modules [ rand (0 ,sizeof ($modules ) -1 ) ] ; $modules = array ($tmp ) ; ) //end of statement if (count ( $modules )< 1 ) { $style = 0 ; }We added a third argument to it (which is used in the template, where we wrote true) and modified the code.
- Option two is more painless, we only modify the template. But more labor-intensive - we need to create several positions. First, we create several new module positions, for example new1 ... new10. Save. In the right place in the template, before calling the mosLoadModules function, add the necessary code:
This option is not provided as standard. But in fact, it is possible, by organizing a search in Joomla files, to replace any occurrence of such a word with yours - secret. Sometimes, later, errors about the inability to access files may pop up, but knowing the file and line number, they can be corrected. Therefore, the problem is, in principle, solvable.
Let's start looking at the components by looking at how the basic Weblinks component operates in the admin portion of a website. This component, which is typical for this part of the website, is very similar to its other components designed to manage articles, users, modules, etc.
The program files for this component are listed below. All these files are located in the folder administator/components/com_weblinks. Throughout the rest of this chapter, all Weblinks component file names are referred to relative to this starting folder unless otherwise noted. Most of the files are organized according to the MVC pattern. Specifically, all view files are in the views subfolder, and all main model and controller files are in the models and controllers subfolders, respectively. They are also supplemented by installation, configuration and auxiliary files.
Files of the administrative part of the Weblinks component, except for index.html files
- controllers/weblink.php - Main controller for editing Single weblink controller
- controllers/weblinks.php - Main controller for compiling the Controller and displaying a list of web links on the Weblinks Manager screen
- helpers/weblinks.php - Provides various methods used in controllers and views
- models/fields/ordering.php - JformField model displaying the weblink ordering column on the Weblinks Manager screen
- models/forms/weblink.xml - XML file used in the Jform-Model Field class to layout a form with input fields and edit web links on the screen
- models/weblink.php - Model for a single screen form Web link model
- models/weblinks.php - Model for the manager screen form Model of web links
- sql/install.mysql.utf8.sql - SQL file to create a table of web links during installation
- sql/uninstall.mysql.ut8.sql - SQL file to remove the weblink table during installation
- tables/weblink.php - Provides the Model class
- views/weblink/tmpl/edit_metadata.php - Source layout file for editing web link metadata
Administrative part of the Weblinks component
- views/weblink/tmpl/edit_params.php - Source layout file for editing single web link selection options
- views/weblink/tmpl/edit.php - Source layout file for editing a web link
- views/view.html.php - Main view class for displaying a single web link in HTML format Source layout file for web link manager
- views/weblinks/view.html.php - Main view class for displaying web links in HTML format directly on the Weblinks Manager screen
- access.xml - XML file providing a list of actions for an access control list (ACL) system
- config.xml - XML file providing a list of options for selecting the configuration of the component
- controller.php - Main controller class
- weblinks.php - Entry point for the request
- weblinks.xml - XML file used to control the installation process
- CakePHP getState("fi lter_order_dir");
