Register | Login

Home | Development | Security Issue / SiteFrame hacked  

Security Issue / SiteFrame hacked

21 June 2005
by Spencer Pro

Well, it has finally happened... www.sakyant.com was hacked.. guess Siteframe has a long way to go in regards to security...

http://www.frsirt.com/english/advisories/2005/0731 
 FrSIRT Advisory : FrSIRT/ADV-2005-0731

CVE Reference : CAN-2005-1965 Rated as : High Risk Remotely Exploitable : Yes Locally Exploitable : Yes Release Date : 2005-06-10

 * Technical Description *

A vulnerability was identified in Siteframe, which may be exploited by attackers to compromise a vulnerable web server. This flaw is due to an input validation error in the "siteframe.php" script when processing a specially crafted "LOCAL_PATH" variable, which may be exploited by attackers to include arbitrary files and execute remote commands with the privileges of the web server.

 * Affected Products *

Siteframe versions 3.x

 * Solution *

The FrSIRT is not aware of any official supplied patch for this issue.

 * References *
http://www.frsirt.com/english/advisories/2005/0731 
 * Credits *

Vulnerabilities reported by PRI[l

 * ChangeLog *

2005-06-10 : Original Advisory 2005-06-15 : Updated CVE

Comment/Rate | Share this Article | Subscribe

Ouch...

Siteframe (3.x especially) has some, but really very few, inclinations to security, unfortunately. I'll have to see about fixing that one, however.

Glen Campbell at 08:36 AM on 21 June 2005 [Reply]

Not sure

I'm still not sure how this could have been used to exploit remotely. To set the value of LOCAL_PATH, they would have had to have been running something on the webserver (in which case, er, they're already running with the webserver privileges) or else PHP's register_globals was set ON, in which case nearly every PHP script is vulnerable. This is stated in the Siteframe README file.

Glen Campbell at 08:44 AM on 21 June 2005 [Reply]

fix for this

Quick fix; change this line:

 if ($LOCAL_PATH == "")

to this:

 if ($LOCAL_PATH != "../")

and it removes that particular avenue of access. However, if your site has register_globals=On, then there are potentially a huge number of vulnerabilities in Siteframe and every other PHP program.

Glen Campbell at 08:46 AM on 21 June 2005 [Reply]

NO SUBJECT

in siteframe.php there is this line of code if ($LOCAL_PATH == "") $LOCAL_PATH = "./"; adding this right above it will stop the attack if(!strpos($LOCAL_PATH, "http", 0)) { die("Nice try h4x0r!"); } if(!strpos($LOCAL_PATH, "ftp", 0)) { die("Nice try h4x0r!"); }

Spencer Pro at 09:40 AM on 21 June 2005 [Reply]

Correct

Ok, I figured it out - you could include this file remotely, and, by setting LOCAL_PATH, you could then execute any file, any where. :)

The above fix is still correct; it ensures that LOCAL_PATH is either "./" (for regular files) or "../" (required for admin scripts).

Glen Campbell at 10:02 AM on 21 June 2005 [Reply]