A friend (and client) of mine started building a site using Jupiter CMS, so I decided to take a quick audit of it. It’s pretty much an example of how not to write code, and in my opinion the people who wrote it should take up farming or something instead.

Two years ago there was this file inclusion bug. Hey, no problem – it’s been patched. Or has it? Here’s the vulnerable code block again, with absolutely patently retarded mitigation in place:

if(isset($n))
    if(file_exists("$n.php"))
        if(strpos($n, "../") !== false)
            header("location: $PHP_SELF?i=error");
        else include("$n.php");
    elseif(!file_exists("$n.php"))
        header("location: $PHP_SELF?i=error");

Whee! The only check made is if the file exists when it’s got .php on the end of it, and whether or not it has ../ in it. Delicious.

Obviously that stops this from working:

index.php?n=/../../../../../../../../../../etc/passwd

But what about this?

index.php?n=/etc/passwd

Or hey, if you could drop a file anywhere on the server in a known location, it gets executed as PHP. A cursory try on doing remote-file-inclusion fails because it doesn’t pass the file_exists() check, but there’s probably some other clever tricks to get around that too.

What’s up with that retarded !file_exists()? It’s obvious they don’t get security, but maybe they don’t grok if-then-else at all? I might just add this to a list of software people can’t run on my servers.

Montpelier, IN 47359, USA fwaggle

Published:


Modified:

Never

Filed under:


Location:

Montpelier, IN 47359, USA

Navigation: Older Entry Newer Entry