PHPKit 1.6.6: Code Execution for Privileged Users


PHPKit

Today’s gift in our advent calendar contains PHPKit, a German web content management system in development since early 2002. With its ~42,000 lines of code it is a rather small application and the latest version is 1.6.6. This post describes two severe vulnerabilities in the administration section that require a minimal user permission for exploitation.

RIPS Analysis

Within only 24 seconds, the analysis with RIPS completed and uncovered critical security vulnerabilities, mainly in the administration section of the application. As we demonstrated in multiple previous calendar posts, these vulnerabilities can be chained with other vulnerabilities that first escalate to administrative privileges and then allow to exploit these issues.

The truncated analysis results are available in our RIPS demo application. Please note that we limited the results to the issues described in this post since there are no fixes available.

See RIPS report

Case Study

Example 1: File Upload

The first vulnerability enables a malicious user to upload arbitrary files - including a PHP backdoor - that can be stored anywhere on the web server depending on its file permission configuration. The only requirement is that the attacker has access to a user account with the privilege to upload images which could be available, for example, for editorial staff. The following code lines are affected.

pkinc/admin/mediaarchive.php

5152
$UPLOAD = new UPLOAD();
$UPLOAD->images($_FILES['image_file'], '../' . $config['image_archive'], $_POST['image_name']);

pkinc/func/default.php

1944194519461947
class UPLOAD {
public function images($file = '', $dir = '.', $filename = '') {
    $filename = $filereturn[1] = $dir . '/' . $filename;
    move_uploaded_file($file['tmp_name'], $filereturn[1]);

Here, the POST parameter image_name is used completely unsanitized in the sensitive function move_uploaded_file(). This allows an attacker to upload arbitrary files into the web root and thus, to execute custom PHP code on the targeted server. There is no file extension check as described and bypassed in our [previous calendar post](/2016/serendipity-from-file-upload-to-code-execution/. It is advised to not allow users to upload files into the web root and that the file name is not in full control of the uploading user.

Example 2: SQL Injection

The SQL injection in this example is rather simple and multiple similar issues exist across the application. The following lines of code are affected.

pkinc/admin/navigationcategory.php

414243444546
$select_navcat = $_POST['navigation_cat'];
$select_navcat = $_POST['select_navcat'];
unset($select_navcat);
$select_navcat = 'new';

$SQL->query('UPDATE ' . pkSQLTAB_NAVIGATION . ' SET navigation_cat=\'' . $_POST['delete_links'] . '\' WHERE navigation_cat=\'' . $select_navcat . '\'');

pkinc/class/sql.php

124125126
class pkSql {
public function query($querystring = '') {
    mysql_query($querystring, $this->servercon);

As shown in the code summaries above, the POST parameter delete_links is not sanitized and used directly in the MySQL query in line 46. An attacker can easily break out of the quotes and alter the query by injecting SQL commands. This can be used to change arbitrary columns of the table or to extract user data. Since RIPS has to reconstruct the SQL query completely in order to evaluate the injection point, RIPS is also able to evaluate into which table’s columns an attacker is able to write a payload. This can then be used to detect second-order vulnerabilities, for example persistent XSS. The SQL injection vulnerability can be prevented by sanitizing the tainted variable $_POST['delete_links'] using the function mysql_real_escape_string() to hinder the attacker from breaking out of the quotes.

Time Line

DateWhat
2016/09/20First contact with vendor
2016/09/20Vendor discontinued development (no fixes are going to be published for the time being)

Summary

RIPS was able to find many critical security vulnerabilities in a matter of seconds within the application. Even though the issues are located in the administration section of the application, the code execution could be exploited by editorial staff that should not have full access to the server or an attacker with escalated privileges. Unfortunately, the development is currently on hold so that no fixes are going to be made available. Hence, no security issues that help in escalating privileges are released. We advice all PHPKit administrators to remove unnecessary upload privileges and to harden the web server’s file permissions.


Follow us on Twitter to be notified when the next gift of our advent calendar is opened!

APAV Time Table

DateAuthorTitle
24 Dec 2016Johannes DahseWhat we learned from our Advent Calendar
23 Dec 2016Hendrik Buchwalde107 2.1.2: SQL Injection through Object Injection
22 Dec 2016Daniel PeerenSecurity Compliance with Static Code Analysis
21 Dec 2016Martin BednorzAbanteCart 1.2.8 - Multiple SQL Injections
20 Dec 2016Martin BednorzKliqqi 3.0.0.5: From Cross-Site Request Forgery to Code Execution
19 Dec 2016Robin PeraglieosClass 3.6.1: Remote Code Execution via Image File
18 Dec 2016Daniel PeerenContinuous Integration - Jenkins at your service
17 Dec 2016Johannes DahseOpenConf 5.30 - Multi-Step Remote Command Execution
16 Dec 2016Robin PeraglieRedaxo 5.2.0: Remote Code Execution via CSRF
15 Dec 2016Dennis DeteringGuest Post: Vtiger 6.5.0 - SQL Injection
14 Dec 2016Hendrik BuchwaldThe State of Wordpress Security
13 Dec 2016Johannes DahsephpBB 2.0.23 - From Variable Tampering to SQL Injection
12 Dec 2016Martin BednorzTeampass 2.1.26.8: Unauthenticated SQL Injection
11 Dec 2016Daniel PeerenRescanning Applications with RIPS
10 Dec 2016Hendrik BuchwaldNon-Exploitable Security Issues
9 Dec 2016Hendrik BuchwaldPrecurio 2.1: Remote Command Execution via Xinha Plugin
8 Dec 2016Martin BednorzPHPKit 1.6.6: Code Execution for Privileged Users
7 Dec 2016Hendrik BuchwaldSerendipity 2.0.3: From File Upload to Code Execution
6 Dec 2016Robin PeraglieRoundcube 1.2.2: Command Execution via Email
5 Dec 2016Hendrik BuchwaldExpression Engine 3.4.2: Code Reuse Attack
4 Dec 2016Johannes DahseIntroducing the RIPS analysis engine
3 Dec 2016Martin BednorzeFront 3.6.15: Steal your professors password
2 Dec 2016Martin BednorzCoppermine 1.5.42: Second-Order Command Execution
1 Dec 2016Hendrik BuchwaldFreePBX 13: From Cross-Site Scripting to Remote Command Execution
25 Nov 2016Martin BednorzAnnouncing the Advent of PHP Application Vulnerabilities

Disclaimer: The information provided here is for educational purposes only. It is your responsibility to obey all applicable local, state and federal laws. RIPS Technologies GmbH assumes no liability and is not responsible for any misuse or damages caused by direct or indirect use of the information provided.

Tags: martin bednorz, php, security, phpkit, apav, sql injection, file upload,

Author: Martin Bednorz

CTO, Co-Founder

Martin has 7 years of working experience as a lead web application developer. He graduated in IT security at the Ruhr-University Bochum and is conducting research on state-of-the-art code analysis and web technologies. His security background is supplemented by practical development and project management expertise.

Comments

comments powered by Disqus