Well, it has finally happened... www.sakyant.com was hacked.. guess Siteframe has a long way to go in regards to security...
http://www.frsirt.com/english/advisories/2005/0731FrSIRT Advisory : FrSIRT/ADV-2005-0731
CVE Reference : CAN-2005-1965 Rated as : High Risk Remotely Exploitable : Yes Locally Exploitable : Yes Release Date : 2005-06-10
* Technical Description *
A vulnerability was identified in Siteframe, which may be exploited by attackers to compromise a vulnerable web server. This flaw is due to an input validation error in the "siteframe.php" script when processing a specially crafted "LOCAL_PATH" variable, which may be exploited by attackers to include arbitrary files and execute remote commands with the privileges of the web server.
* Affected Products *
Siteframe versions 3.x
* Solution *
The FrSIRT is not aware of any official supplied patch for this issue.
* References *http://www.frsirt.com/english/advisories/2005/0731
* Credits *
Vulnerabilities reported by PRI[l
* ChangeLog *
2005-06-10 : Original Advisory 2005-06-15 : Updated CVE
Ouch...
Siteframe (3.x especially) has some, but really very few, inclinations to security, unfortunately. I'll have to see about fixing that one, however.
Glen Campbell at 08:36 AM on 21 June 2005 [Reply]
Not sure
I'm still not sure how this could have been used to exploit remotely. To set the value of LOCAL_PATH, they would have had to have been running something on the webserver (in which case, er, they're already running with the webserver privileges) or else PHP's register_globals was set ON, in which case nearly every PHP script is vulnerable. This is stated in the Siteframe README file.
Glen Campbell at 08:44 AM on 21 June 2005 [Reply]
fix for this
Quick fix; change this line:
to this:
and it removes that particular avenue of access. However, if your site has register_globals=On, then there are potentially a huge number of vulnerabilities in Siteframe and every other PHP program.
Glen Campbell at 08:46 AM on 21 June 2005 [Reply]
NO SUBJECT
in siteframe.php there is this line of code if ($LOCAL_PATH == "") $LOCAL_PATH = "./"; adding this right above it will stop the attack if(!strpos($LOCAL_PATH, "http", 0)) { die("Nice try h4x0r!"); } if(!strpos($LOCAL_PATH, "ftp", 0)) { die("Nice try h4x0r!"); }
Spencer Pro at 09:40 AM on 21 June 2005 [Reply]
Correct
Ok, I figured it out - you could include this file remotely, and, by setting LOCAL_PATH, you could then execute any file, any where. :)
The above fix is still correct; it ensures that LOCAL_PATH is either "./" (for regular files) or "../" (required for admin scripts).
Glen Campbell at 10:02 AM on 21 June 2005 [Reply]