GBOTD #15: minify.php Local File Inclusion

Remember yesterday’s Local File Disclosure bug? This one is in the same script– a script that serves up a given Javascript or CSS file, performing a few basic whitespace-removal and caching functions. As you saw yesterday, it can be used to read any given file, but it can also be used, through a different parameter, to include another file. This may include uploaded malware payloads, or just logfiles, which you poisoned with one of the log poisoning vulnerabilities I mentioned earlier.

/assets/minify.php?sb=../../../../../../var/www/error_log%00%0D%0Adfsa&type=bork&fsid=s

GBOTD #14: minify.php Local File Disclosure

/assets/minify.php?files=passwd%00%0D%0A.js&base=../../../../../../../etc/

GBOTD #13: v

There’s a file at /webroot/v. No extension, no real filename… you’d catch it by plugging the most trivial dictionary attack into your web scanner. If you were to download the file and take a look at it, you’d see it’s actually a gzipped tarfile. Run it through `tar xvzf` and you’d have a backup of the entire site. It’s a bit dated, but more than enough code for you to find a few bugs in the rest of the site. No idea what that file’s doing on the webserver- maybe it was created by somebody who hacked the site and wanted to download a copy, but I doubt it- the dates don’t line up.

GBOTD #12: Gawkerbook XSS

/webroot/extensions/gawkerbook/index.php appears to be a contact form for people who would like to contribute content for one of Gawker’s book projects. It’s vulnerable to CSRF, but that’s not all that interesting– that’ll just put spam entries in the database. It is, however, vulnerable to POST-based XSS. If you send it the following parameters, you’ll get an alert box.

gawkerbookId="</script><script>alert(document.cookie)</script>

GBOTD #11: Admin phpinfo()

There’s a phpinfo() script located at /webroot/admin/i.php.

I hesitated to mention this one, because while a script like that really shouldn’t be found on any production server, it is in the admin directory. However, I still have come across no sign that there was any sort of password protection or other limitation on that admin directory, and the memo from Gawker’s own CTO makes me suspect that it wasn’t. Regardless, that script shouldn’t have been there in the first place.

GBOTD #10: Admin skineditor.php SQLi (Executed Via CSRF)

The $_REQUEST parameter “skin,” when passed to yesterday’s administration script at /webroot/admin/sales/skineditor.php, is unvalidated when used in an SQL DELETE query:

$query = 'DELETE FROM skin WHERE siteId = '. $this->siteId .' AND name = "'. $_REQUEST['skin'] .'" ';

This parameter can be manipulated to inject malicious data into SQL queries and tamper with database structure, leak information, or further compromise the system. In order to activate the “delete” functionality, $_REQUEST['op'] must be set to “deleteSkin”, and a value must also be passed to $_REQUEST['site'];

While this script is clearly intended to only be accessible to an administrator, the delete function can be performed via CSRF.

Merry Christmas!

GBOTD #9: Admin skineditor.php XSS

The $_REQUEST parameters “site” and “skin,” passed to an administration script at /webroot/admin/sales/skineditor.php, are unvalidated and echoed back to the user unchanged, resulting in multiple XSS vulnerabilities throughout the script.

GBOTD #8: Admin Config CSRF

Remember that XSS-able script from yesterday? It’s used to manage site configurations. It actually makes calls to /webroot/admin/config/ajax_handler.php

ajax_handler.php, in turn, can be used to modify, view, or diff configuration files for the sites. Iit’s vulnerable to CSRF, so if you can get an Admin to hit your website, you can update those configurations with your own.

GBOTD #7: Admin Config XSS

The script at /webroot/admin/config/index.php is vulnerable to XSS. The $_REQUEST['config'] parameter is echoed out to the user without validation or sanitization.

GBOTD #6: Admin ci.php XSS

The script at /webroot/admin/ci.php contains only one line of PHP code:

echo json_encode($_SERVER);

The $_SERVER superglobal contains such XSS-able values as HTTP_REFERER, argv (an array of all arguments passed to the query string), and QUERY_STRING. Anybody with admin access (and possibly others, as noted in yesterday’s bug) would be vulnerable to this XSS attack.