[VIM] Interesting Scry stuff
Steven M. Christey
coley at mitre.org
Tue Apr 25 01:10:45 EDT 2006
Issues:
various issues in Scry 1.1, index.php p parameter
Note - the package hasn't been updated since 2004.
Refs:
BUGTRAQ:20060421 Scry Gallery Directory Traversal & Full Path
Disclosure Vulnerabilites
http://www.securityfocus.com/archive/1/archive/1/431716/100/0/threaded
BUGTRAQ:20060424 Scry Gallery XSS Vulnerability
http://www.securityfocus.com/archive/1/archive/1/431853/100/0/threaded
With the index.php/p vector, the above 2 disclosures covered these bug
types:
- directory traversal
- path disclosure
- XSS
Since I'm on my XSS-hides-other-bugs kick, I grabbed the source code
to take a look.
First, I noticed that the XSS is not exclusively resultant from a
failed directory traversal, thanks to verbose unfiltered error
messages:
if ($VIEW == 'list') {
$IMAGE_DIR = $_GET['p'];
} else {
...
...
$PATH = "$CFG_path_images/$IMAGE_DIR/$IMAGE_FILE";
$PATH_BASEDIR = "$CFG_path_images/$IMAGE_DIR";
...
if (!is_readable($PATH)) { // FS READ
die("$PATH does not exist or is not readable by the webserver - please verify settings in setup.php");
So we have application-controlled XSS, which is good enough in CVE's
book for a separate item.
But, before we got to the XSS above, we skipped over the following
code:
path_security_check($PATH, $CFG_path_images);
That sounds interesting enough, especially since the developer's front
page says that the code was designed with security in mind.
I can see how the XSS got through, if it's just checking for paths
under an expected web root. But what about the directory traversal?
// function path_security_check(string $victim, string $test)
//
// the resolved path of $victim must be below $test on the filesystem
//
function path_security_check($victim, $test) {
if (eregi("^" . rtrim('/', $test) . ".*", rtrim('/', realpath($victim)))) {
return true;
}
die("path security check failed: $victim - $test");
} // function path_security_check
Well, we see here with the "die" command another vector for
application-controlled XSS.
But that eregi() call seems to be looking for "/" characters and,
presumably, would barf if certain substrings don't match.
It's even using realpath(), which you'd like to see for directory
traversal tests.
Looking up rtrim() in the PHP online manual, we see that it's intended
to strip all whitespace at the end of the string. An optional
argument allows you to specify any bag of characters to strip. So,
this code is apparently trying to strip a "/" from the end of the
string.
Except the attacker probably could provide pathname arguments that
don't end in a string.
And - much more relevant to this situation - the PHP manual says that
the characters to trim are specified in the *second* argument, not the
first - like we see in the code above.
So, because of the switched arguments, the rtrim('/', $test)
expression would likely return "", which means we get a regexp of:
^.*
which sounds very likely indeed to match whatever comes back from the
realpath argument, thus most any inputs would pass the sanity check.
... except, for some reason, when you go to the developer's web site
and click on the "1.1 demo album link", you get a verbose error
message that generates a failed path_security_check - but prints out
$victim and $test variables that appear to be equal!
- Steve
More information about the VIM
mailing list