Archive for the ‘Privacy’ Category
You are currently browsing the archives for the Privacy category.
9
Dec
2009
DM-FileManager 3.9.6 Cookie Injection and Authorization Bypass Vulnerability
The nDarkness community has recently been working with the wonderful developers over at DutchMonkey.com to review and point out security flaws in some of their freely available software.
During this review process, there were several issues found and we will be posting them in the coming weeks for educational purposes. It is our hope that this information will be used to help others write more secure code and realize the dangers involved with these mistakes.
The first major issue we found was with DM-Albums version 2.0. After reviewing this software and helping to add greater support for WPMU installations, we moved on to DM-FileManager version 3.9.6. The fist major issue we found with this software prompted us to take a deeper look at the authorization model used by this file manager software. Below is the vulnerable code and the method used to exploit it. Please be aware that this has since been fixed and is no longer vulnerable.
I discovered that cookie variables were being used to determine a users ability to access certain features of the software. The cookies I found that mattered were:
GROUP=ADMINISTRATORS; GROUPID=1;
The group id cookie gives you the admin.php button (footer.php, line 49) – Not necessary but it was a start.
if($GROUPID == 1)
{
print(" <a href=\"admin.php\" class=\"admin\"><img src=\"ui/$USERINTERFACE/png/admin.png\" border=\"0\" height=\"15\"/></a> ");
}
Being in the administrator group (admin.php, line 116) lets you use the admin.php page.
if($GROUP != "ADMINISTRATORS") redirect("/?currdir=$currdir");
To exploit this we used javascript injection. From the log in page I entered the following in the address bar and reloaded the page:
javascript:void(document.cookie="GROUP=ADMINISTRATORS");void(document.cookie="GROUPID=1");
When the page reloaded, the admin button was in the footer of the page and it allowed me to use the admin.php page. Once in the admin interface you have full control of the file manager software and can for example, change the admins email address to yours and use the forgot password feature to receive the admins unencrypted password (more on this issue in future posts).
All DM-FileManager users are strongly encouraged to upgrade their software to the latest version.
GHTime Code(s): b0b5f nc
21
Oct
2009
WordPress – DM Albums Version 2.0 Critical Vulnerability
The latest version of DM Albums was released on 10/21/2009 to all WordPress users and it contains a serious flaw that can allow an attacker to remotely delete any file or folder they wish. The author has been notified of the problem and I have listed a work around below to prevent directory traversal.
After upgrading to the latest version of DM Albums I was playing with the new features and noticed the function to delete albums. I dug into the code located at wp-content/plugins/dm-albums/wp-dm-albums-ajax.php and found that there is no check to see if someone has used directory traversal. This means that anyone can delete files or directories outside of the upload directory.
Example:
http://someblogsite/wp-content/plugins/dm-albums/wp-dm-albums-ajax.php?delete_album=../../../public_html
The vulnerable section that allows this to take place is:
-
if(isset($_GET["delete_album"]) && !empty($_GET["delete_album"]) && strlen($_GET["delete_album"]) > 0)
{
//delete the album directory
dm_get_album_delete($DM_UPLOAD_DIRECTORY . $_GET["delete_album"]);
}
In this code there is no check to see what is contained in the GET variable and you don’t even need to be logged in to delete files.
Below is a quick and dirty work around to prevent the problem and I would suspect there will be more checks to ensure that user input is sanitized in the near future. This work around will not prevent malicious users from deleting your albums but it will keep folders outside of the upload directory safe.
-
if(isset($_GET["delete_album"]) && !empty($_GET["delete_album"]) && strlen($_GET["delete_album"]) > 0)
{
//remove the / character from user input
$_GET["delete_album"] = str_replace(“/”, “”, $_GET["delete_album"]);
//delete the album directory
dm_get_album_delete($DM_UPLOAD_DIRECTORY . $_GET["delete_album"]);
}
Once I hear back from the author I will update this post to let everyone know the outcome.
Update: A new release, v2.0.1, with the above mentioned work around has been released. We should also expect to see another update in the next few days that will employ more security checks and some upgrades for WordPress multi user environments as well.
GHTime Code(s): dc678 16e08 522fd 08095 nc 68ef8
10
Oct
2009
Flash Cookies and What You Don’t Know
If you have been browsing the internet for any period of time, I’m sure you have heard of cookies. Even though you may not be entirely sure what they do, you certainly know how to delete them. Right?
Cookies are files websites save on your computer that contain information about you. There are several legitimate purposes for these files such as remembering your login information so you don’t have to sign in every time you visit a site, keeping up with cart information as you shop online and in some cases online security such as banking sites.
With the good also comes the bad. A quick search on Google for tracking cookies will return page after page of articles on this topic. A tracking cookie will monitor your movement around the internet and will phone home to let its authors know what you are doing online. With this information they will taylor their advertising on affiliate sites so that you only get ads for what they believe interests you or they will sale this information to other advertisers.
“So what’s the big deal? My browser is set up to delete cookies at regular intervals and I don’t allow them from third party sites.”
Well here is a little fact that you may not know. The same technology that powers streaming video, online games, and animated movies, has the ability to set these cookies as well. The technology I am referring to is the flash plugin, currently developed by Adobe. These “special” cookies are not created or treated the same way as the cookies that we have all come to know and love. In fact your browser has, on its own, no control over these cookies at all.
To illustrate this point, clear your browser cookies and then take a look in the following location(s):
- Windows: Under your current user’s Application Data directory, click on Macromedia\Flash Player\#SharedObjects and Macromedia\Flash Player\macromedia.com\support\flashplayer\sys.
- Mac OS X: ~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/[package ID of your app]/ and ~/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/
- GNU-Linux: ~/.macromedia
Using your browser to clear cookies had no effect whatsoever on the flash cookies. That possibly and probably means that your actions are still being tracked as you surf the net. What’s more, flash cookies have the ability to restore the normal cookies that your browser just deleted.
“So what can I do about these cookies? You said earlier that my browser on its own could not delete these cookies, what does that mean?”
A developer going by the name of NettiCat, has developed an addon for Firefox called Better Privacy that will do the dirty work for you. This addon allows you to clear these cookies when you open or close your browser, at regular intervals and manually.
Now feel free to go trash those stale cookies and be on the lookout for them popping up again.
GHTime Code(s): 84993 911fd 5cd52 nc