[ABANDONED] PcCookBook Component Vulnerability

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Forum rules
Locked
User avatar
gustavo
Joomla! Explorer
Joomla! Explorer
Posts: 427
Joined: Fri Aug 19, 2005 12:51 pm
Location: Argentina
Contact:

[ABANDONED] PcCookBook Component Vulnerability

Post by gustavo » Tue Jul 11, 2006 2:02 pm

Advisory ID : FrSIRT/ADV-2006-2739
CVE ID : GENERIC-MAP-NOMATCH
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-07-11

Technical Description

A vulnerability has been identified in PcCookBook (component for Joomla!), which may be exploited by attackers to execute arbitrary commands. This flaw is due to an input validation error in the "pccookbook.php" script that fails to validate the "mosConfig_absolute_path" parameter, which could be exploited by remote attackers to include malicious files and execute arbitrary commands with the privileges of the web server.

Affected Products

PcCookBook (component for Joomla!) version 1.3.1 and prior
http://www.frsirt.com/english/advisories/2006/2739

Have a nice day
Gustavo
Last edited by RobS on Thu Aug 10, 2006 8:33 pm, edited 1 time in total.
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: PcCookBook Component for Joomla! "mosConfig_absolute_path" File Inclusion Is

Post by infograf768 » Tue Jul 11, 2006 3:03 pm

Thanks for the head up.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: PcCookBook Component for Joomla! "mosConfig_absolute_path" File Inclusion Is

Post by Elpie » Wed Jul 12, 2006 2:29 am

This is the same vulnerability that exists in some of the other 3PD components we have been discussing.
The files do not include:

Code: Select all

// Don't allow direct linking
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' ); 
Any component/module extension that allows direct access to the code should be considered vulnerable.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

Kindred
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 182
Joined: Thu Aug 18, 2005 8:43 pm
Contact:

Re: PcCookBook Component for Joomla! "mosConfig_absolute_path" File Inclusion Issue

Post by Kindred » Sun Jul 30, 2006 12:10 pm

actually, the pccookbook does include this command...

however, it does not prevent the attack.

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: PcCookBook Component for Joomla! "mosConfig_absolute_path" File Inclusion Is

Post by infograf768 » Sun Jul 30, 2006 2:15 pm

Looked in pccookbook.php file in pccookbook 1.3.1 (last available version)
<?php
//pc_cookbook Component//
/**
* Content code
* @package hello_world
* Original @Copyright (C) 2005 Robert Prince
* @Copyright (C) 2005 Konstantinos (koyan) Kokkorogiannis
* @ All rights reserved
* @ pc_cookbook is Free Software
* @ Released under GNU/GPL License : http://www.gnu.org/copyleft/gpl.html
* @version koyans 0.3
* @link http://www.dianthos.net & http://www.fisheye.gr/koyansblog
**/
global $mosConfig_absolute_path;
global $mosConfig_live_site;

etc.
The file looks vulnerable to me.

Same for include.pccookbbok.php
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

Kindred
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 182
Joined: Thu Aug 18, 2005 8:43 pm
Contact:

Re: PcCookBook Component for Joomla! "mosConfig_absolute_path" File Inclusion Issue

Post by Kindred » Mon Jul 31, 2006 12:48 am

I admit it should have been the first line... but the die line was included, further down in the code.

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: PcCookBook Component for Joomla! "mosConfig_absolute_path" File Inclusion Is

Post by infograf768 » Mon Jul 31, 2006 9:04 am

Kindred wrote: I admit it should have been the first line... but the die line was included, further down in the code.
Result is useless placed this way.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

Kindred
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 182
Joined: Thu Aug 18, 2005 8:43 pm
Contact:

Re: PcCookBook Component for Joomla! "mosConfig_absolute_path" File Inclusion Issue

Post by Kindred » Mon Jul 31, 2006 2:11 pm

actually, I placed the die command at the top...  but they still got in through that door. :(

I have removed the PCCookBook from my site pending further analysis

tonyhill
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Fri Sep 01, 2006 5:02 am

Re: [ABANDONED] PcCookBook Component Vulnerability

Post by tonyhill » Fri Sep 01, 2006 1:18 pm

Kindred,

What do you mean, "they still got in through that door"?  Do you mean someone hacked your site through pccookbook?  Who is they, and how do you know that it was pccookbook that let them in?  Also, was this a clean system, or already compromised?  Did you only add the "defined ... die ...." line to pccookbook.php, or also to include.pccookbook.php and admin.phpcookbook.php, or to all php files?

I guess where I'm going is, how do we know that adding the "defined ... die ...." line at the top of the files won't fix this vulnerability?  I'd like to see this module fixed, and it seems easy to just add that line to the top of every file.  In fact, I've already done this.

For infograf768, is there any reason to not put this line at the top of every php file?

Thanks,
Tony

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: [ABANDONED] PcCookBook Component Vulnerability

Post by infograf768 » Fri Sep 01, 2006 2:17 pm

@Tonyhill
Welcome on our forums.

I am no coder, but I do know it is not always useful to put the line.
Depends if the code in the file calls some globals settings.

On whether it would harm or not to put it systematically, no idea.
I guess one has to test the functionalities of the extension.

I'll ask a real coder to come here and reply to your question.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

tonyhill
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Fri Sep 01, 2006 5:02 am

Re: [ABANDONED] PcCookBook Component Vulnerability

Post by tonyhill » Fri Sep 01, 2006 3:43 pm

Thanks!

I do understand that XSS is still a problem whenever reading a file from a variable name.  Another question for a Joomla! coder is this: how does one typically guard against XSS when needing to reference the $mosConfig_absolute_path?  It doesn't seem like I can assume that every Joomla! install must have the modules installed on the same server as the rest of Joomla!, or can I?

I am new to Joomla!, so I don't know how all the ways in which it can be deployed.  If I can assume that every Joomla! install has the modules installed on the same server as the rest of Joomla!, then I can just check the URI to see if it goes to the same place.  Otherwise, I'm not sure of a good way to check this variable.

Finally, as I look through the security vulnerabilities, I see this one occurs commonly.  Would it be smart for Joomla! to provide a secure include function for modules -- one that is immune to XSS?

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: [ABANDONED] PcCookBook Component Vulnerability

Post by infograf768 » Fri Sep 01, 2006 3:57 pm

Reply from real coder:
On whether it would harm or not to put it systematically, the answer is no, concerning the functionalities.
It may be unsuficient though to protect against all type of sql injections.

It does protect against some xss attacks based around require's, which were those we have seen lately.

Concerning your other questions, please look at the dev site
http://dev.joomla.org/component/option, ... Itemid,32/

There is something there concerning hardening extensions.
Yes, all extensons are not only on the same server but in the same root folder.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

tonyhill
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Fri Sep 01, 2006 5:02 am

Re: [ABANDONED] PcCookBook Component Vulnerability

Post by tonyhill » Fri Sep 01, 2006 4:16 pm

Thank you very much for the information.

I see that I was using XSS incorrectly above.  What I should have said was remote file injection.

I will go through pccookbook and see if I can apply all of the methods suggested in the security section of the developer documentation.  After I'm done, I'll be sure to contact the author of pccookbook and post something here for others to examine.

Kindred
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 182
Joined: Thu Aug 18, 2005 8:43 pm
Contact:

Re: [ABANDONED] PcCookBook Component Vulnerability

Post by Kindred » Thu Sep 07, 2006 6:02 pm

BTW: I am very certain that they got in via the cookbook, because my server secuirty logs showed it to be so...

cordelia
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Fri Oct 05, 2007 7:31 pm

Re: PcCookBook Component for Joomla! "mosConfig_absolute_path" File Inclusion Is

Post by cordelia » Fri Oct 05, 2007 7:39 pm

infograf768 wrote:
Kindred wrote: I admit it should have been the first line... but the die line was included, further down in the code.
Result is useless placed this way.
Why is it useless? I placed it in the first line lots of times.. and indeed.. it didn't work.. but why?

Best regards
The nose of a mob is its imagination. By this, at any time, it can be quietly led.
marine beneficial association


Locked

Return to “3rd Party/Non Joomla! Security Issues”