Precurio 2.1: Remote Command Execution via Xinha Plugin9 Dec 2016 by Hendrik Buchwald
Precurio is an Intranet portal that can be used as a calendar, phone directory, and much more. It is available as an open-source and commercial solution. We focused our analysis exclusively on the open-source version and detected several critical vulnerabilities that can be used to execute PHP code on the target system without any form of authentication.
RIPS detected many security vulnerabilities, such as SQL injection and cross-site scripting issues. In order to exploit most of these vulnerabilities in Precurio’s code base, a user account is required. Precurio also includes a lot of third-party code though that is directly accessible. These contain many vulnerabilities as well and do not require any authentication. As always, an attacker needs only a single exploitable issue for a successful attack. All third-party vulnerabilities are inside of Xinha plugins.
The truncated analysis results are available in our RIPS demo application. Please note that we limited the results to the issues described in this post since there are no fixes available.See RIPS report
Path Traversal to Code Execution
The most critical vulnerability is inside the plugin of a plugin. Xinha is a WYSIWYG HTML editor and it is shipped together with ExtendedFileManager. The file manager contains example code to demonstrate how it is used. Unfortunately this example code is extremly insecure.
The source and destination paths for copying and renaming a file in the
ExtendedFileManager are build from a static path location and unsanitized user input. This code is vulnerable because the character sequence
../ can be used to traverse the directory structure (path traversal). As a result, attackers can point the destination of the file operations to any directory on the system. We will demonstrate how this can be abused shortly.
Note, that the regular expression in the
escape() method prevents a path traversal within the file name while it misses to sanitize the directory. To avoid further security problems, the Xinha authors placed a
.htaccess file inside of the upload directory that removes the handler for PHP files, i.e. they are not evaluated but directly displayed. This way, a direct upload of PHP files is prevented.
There are multiple problems with this approach. First, not all installations are using Apache as a web server and other servers could ignore these instructions. Second, the blacklist might be missing a file extension that is attached to the PHP interpreter in the web server configuration. Third, we can use the
ExtendedFileManager as described above in order to rename the
.htaccess file. Yes, it is that simple. Once the file is disabled, an attacker can inject PHP code into the web server log file and copy it to the upload folder with an PHP extension. The vulnerability can also be used to copy configuration files into the upload folder to get access to passwords and other private information.
|2016/09/20||First try to contact vendor|
|2016/10/21||Second try to contact vendor|
|2016/11/16||Third try to contact vendor|
We tried to get in contact with the vendor both by e-mail and by web form for almost 3 months with no response.
A takeway from this analysis is to not use the Xinha plugin or open-source software using it. It contains dangerous vulnerabilities and is not maintained anymore. As a workaround, it is advised to remove the Xinha plugin or, in case of Precurio, the directory
public/library/xinha/plugins/ImageManager, as already considered by the Xinha authors.
I think we should give consideration to just deleting these folders totally, over the last year I've had a number of instances of people coming to me with these folders filled with various malware.
Third-party code in general can introduce a big threat to your application’s safety. In order to increase security, libraries and plugins should be stored outside of the web directory, i.e. it should never be directly accessible by attackers. Using a dependency manager like Composer is also a good idea because it helps to easily update libraries and warns about deprecated dependencies.
Follow us on Twitter to be notified when the next gift of our advent calendar is opened!
APAV Time Table
Disclaimer: The information provided here is for educational purposes only. It is your responsibility to obey all applicable local, state and federal laws. RIPS Technologies GmbH assumes no liability and is not responsible for any misuse or damages caused by direct or indirect use of the information provided.