MantisBT

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0005658ATutoratutor.capublic2016-03-19 12:132016-06-30 17:43
Reportermr_me 
Assigned Tomr_me 
PriorityimmediateSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformUnixOSDebian OS Version8
Product Version2.2.1 
Target Version2.2.1Fixed in Version2.2.1 
Summary0005658: write_temp_file() File Write Remote Code Execution
DescriptionIn editor_tab_functions.inc.php, I see:

function write_temp_file() {
        global $_POST, $msg;

        if (defined('AT_FORCE_GET_FILE') && AT_FORCE_GET_FILE) {
                $content_base = 'get.php/';
        } else {
                $content_base = 'content/' . $_SESSION['course_id'] . '/';
        }

        if ($_POST['content_path']) {
                $content_base .= $_POST['content_path'] . '/';
        }

        $file_name = $_POST['cid'].'.html';

        if ($handle = fopen(AT_CONTENT_DIR . $file_name, 'wb+')) {

                if (!@fwrite($handle, stripslashes($_POST['body_text']))) {
                        $msg->addError('FILE_NOT_SAVED');
           }
        } else {
                $msg->addError('FILE_NOT_SAVED');
        }
        $msg->printErrors();
}

A file handle is created using POST 'cid' and then it is written to using POST 'body_text'. On older versions of php or php-cgi, this is exploitable to write a php file in the web root.

cid=../../../../../../../var/www/html/ATutor/mods/hax.php%00&body_text=<?php+phpinfo();+?>

Come on man, this code is rough.

TagsNo tags attached.
Affects versionSVN
SVN Revision#f9bb47dad8f7e3b915fed23d3f6f2afd7ad76a57
Attached Files

- Relationships

-  Notes
(0007350)
mr_me (developer)
2016-03-19 12:40

just incase, you don't believe me, check here:

https://3v4l.org/89Ftu [^]

Versions of php between 4.3.0 - 5.3.29 are vuln to attack. You cant expect users to always use the latest version of php.
(0007359)
mr_me (developer)
2016-03-21 10:01

patch: https://github.com/atutor/ATutor/pull/113/files [^]
(0007366)
greg (administrator)
2016-03-23 19:43

added basename() to file path to prevent File Write Remote Code Execution
(0007459)
greg (administrator)
2016-06-30 17:43

Close for 2.2.2

- Issue History
Date Modified Username Field Change
2016-03-19 12:13 mr_me New Issue
2016-03-19 12:13 mr_me Status new => assigned
2016-03-19 12:13 mr_me Assigned To => greg
2016-03-19 12:40 mr_me Note Added: 0007350
2016-03-21 10:01 mr_me Note Added: 0007359
2016-03-23 19:43 greg SVN Revision# => f9bb47dad8f7e3b915fed23d3f6f2afd7ad76a57
2016-03-23 19:43 greg Note Added: 0007366
2016-03-23 19:43 greg Status assigned => resolved
2016-03-23 19:43 greg Fixed in Version => 2.2.1
2016-03-23 19:43 greg Resolution open => fixed
2016-03-23 19:44 greg Assigned To greg => mr_me
2016-06-30 17:43 greg Note Added: 0007459
2016-06-30 17:43 greg Status resolved => closed


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker