Exploiting Local File Inclusion in A Co-Hosting Environment



Similar documents
Cross Site Scripting in Joomla Acajoom Component

Lecture 11 Web Application Security (part 1)

Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Bld. du Roi Albert II, 27, B 1030 BRUSSELS Tel Fax Secure file upload in PHP web applications

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

HackMiami Web Application Scanner 2013 PwnOff

SANS Dshield Webhoneypot Project. OWASP November 13th, The OWASP Foundation Jason Lam

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Web Application Security Payloads. Andrés Riancho Director of Web Security OWASP AppSec USA Minneapolis

Penetration from application down to OS

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

SSA : Multiple Vulnerabilities in WinCC flexible and WinCC V11 (TIA Portal)

Web Application Security

Webapps Vulnerability Report

Check list for web developers

Why Johnny Can t Pentest: An Analysis of Black-box Web Vulnerability Scanners

Columbia University Web Security Standards and Practices. Objective and Scope

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Exploiting Fundamental Weaknesses in Command and Control (C&C) Panels

What is Web Security? Motivation

Web Security Testing Cookbook*

PowerLink for Blackboard Vista and Campus Edition Install Guide

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Implementation of Web Application Firewall

Hardening Joomla! (MNI)

Web Application Vulnerability Testing with Nessus

1 Recommended Readings. 2 Resources Required. 3 Compiling and Running on Linux

Web Application Firewall Profiling and Evasion. Michael Ritter Cyber Risk Services Deloitte

How to Configure edgebox as a Web Server

Web application security

Two Novel Server-Side Attacks against Log File in Shared Web Hosting Servers

Workday Mobile Security FAQ

Penetration Testing for Web Applications (Part Two) by Jody Melbourne and David Jorm last updated July 3, 2003

IBM Advanced Threat Protection Solution

Automated vulnerability scanning and exploitation

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Using Nessus In Web Application Vulnerability Assessments

Application Security Testing. Generic Test Strategy

PHP Vulnerabilities in Web Servers

Configuring CQ Security

Java Program Vulnerabilities

Hacker Intelligence Initiative, Monthly Trend Report #17

PDFSealer User s Guide. ITEKSOFT Corporation Copyright All rights reserved

Web Vulnerability Assessment Report

Lecture 2. Internet: who talks with whom?

Security Assessment of Waratek AppSecurity for Java. Executive Summary

How-To: Submitting PDF forms to SharePoint from custom websites

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

How To Manage Web Content Management System (Wcm)

Module 45 (More Web Hacking)

Data Breaches and Web Servers: The Giant Sucking Sound

CS 558 Internet Systems and Technologies

Cross-Site Scripting

Creating a Digital Signature in Adobe Acrobat Created on 1/11/2013 2:48:00 PM

Web Application Guidelines

Facebook Twitter YouTube Google Plus Website

Web Application Report

LAMP Secure Web Hosting. A.J. Newmaster & Matt Payne 8/10/2005

MANAGED SECURITY TESTING

Adobe Systems Incorporated

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

Using ADOBE LIVECYCLE ES4 Connector for MICROSOFT SHAREPOINT

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Information Technology Policy

FortiWeb 5.0, Web Application Firewall Course #251

April 11, (Revision 2)

Mavituna Security Ltd. Finance House, 522A Uxbridge Rd. Pinner. HA5 3PU / UK

The anatomy of an online banking fraud

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

JPX-LEI User Guide 2014/8/1. Japan Exchange Group, Inc. / Tokyo Stock Exchange, Inc. Copyright 2014 Tokyo Stock Exchange, Inc. All rights reserved.

Executive Summary On IronWASP

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

SAS Drug Development Release Notes 35DRG07

How to address the eform submission problem linked to Enhanced security in Adobe Reader and Adobe Acrobat

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Websense Web Security Gateway: Integrating the Content Gateway component with Third Party Data Loss Prevention Applications

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

WordPress Security Scan Configuration


DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

Service Manager and the Heartbleed Vulnerability (CVE )

Internet Banking System Web Application Penetration Test Report

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Criteria for web application security check. Version

HP OpenView Smart Plug-in for Microsoft Exchange Server

Why File Upload Forms are a Major Security Threat

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

MWR InfoSecurity Security Advisory. pfsense DHCP Script Injection Vulnerability. 25 th July Contents

An Insight into Cookie Security

The Security Development Life Cycle

Web. Services. Web Technologies. Today. Web. Technologies. Internet WWW. Protocols TCP/IP HTTP. Apache. Next Time. Lecture # Apache.

Transcription:

Whitepaper Exploiting Local File Inclusion in A Co-Hosting Environment A Proof-of-Concept Utkarsh Bhatt Anant Kochhar

TABLE OF CONTENTS Abstract... 4 Introduction... 4 Upload Modules... 4 Local File Inclusion... 4 The Attack Scenario... 5 Recommended Resolutions... 11 About The Authors... 11 About SecurEyes... 12 3

Abstract Local File Inclusion (LFI) vulnerability in a PHP web application can be exploited to the fullest only when it is possible to upload files into the web server. This paper explores a technique through which a properly implemented file upload module in a co-hosted website can be used for full exploitation of the LFI vulnerability, which can lead to full web server control. Introduction Web hosting companies and organizations often host several sites in the same web server container as a way to economize resources. This is commonly referred to as cohosting. In this paper, we demonstrate a technique through which an attacker can fully exploit an LFI in one co-hosted site through the upload module (even those which are securely implemented) in another co-hosted web site. Upload Modules Web applications often implement a file upload functionality allowing users to upload files, like documents etc, directly to the file system. Despite proper validations for the uploaded files, malicious code can still be appended to a file, which is then accepted as valid file content. This malicious code can then be executed by exploiting an existing LFI (Local File Inclusion) vulnerability in a co-hosted website. Local File Inclusion In PHP, one page can make calls to or include the code written in other pages or files by using require, require_once, include or include_once core PHP functions. Pages vulnerable to LFI accept file path as user input to directly reference to files which have to included during the run-time of the page execution. 4

Attackers manipulate this user input to reference to files which are not intended by the original developers of the PHP application. For example, attackers typically will try and reference to etc/passwd file on a UNIX system. However, attackers are more interested in referencing to files containing malicious code and try to discover vulnerabilities through which they can upload malicious files to the server. The Attack Scenario LFI in One Co-Hosted Site An attacker discovers LFI vulnerability in a website. The URL of the vulnerable website page is http://www.vul456.com/index.php?file=test.php The index.php page accepts the file path as user input for the variable file. It then includes the file during run-time as shown above. The attacker can thus traverse to all files on the server. However, this is of not much use to the attacker, since all files are valid and do not contain any malicious code: URL: http://www.vul456.com/index.php?file=../site3/index.php 5

The header section of site 3 is being included Upload Module in another Co-Hosted Website The attacker discovers an upload module in a public page of a co-hosted website. Note that the upload module checks for valid file type and content: URL : http://www.vul123.com/index.php 6

The Exploit The attacker captures the HTTP request to the server in an HTTP proxy, like Burp: The form consists of a valid PDF File The attacker appends the malicious PHP code at the end of the PDF content. 7

The attacker submits the above request and successfully uploads the PDF file into the server. Note that the native PHP file validation function is implemented in the page. As shown below, the uploaded file is a valid PDF file which opens in the Adobe Acrobat reader: 8

The attacker can now fully exploit the previously discovered Local File inclusion vulnerability. The URL of the vulnerable website is http://www.vul456.com/index.php?file=test.php The attacker references to the uploaded PDF file by entering its path, using directory traversal, in the file GET parameter: http://www.vul456.com/index.php?file=../site1/upload/hctd000533.pdf 9

An attacker can pass input parameters to the malicious PDF file code by sending them as GET parameters: http://www.vul456.com/index.php?file=../site1/upload/hctd000533.pdf&dir=../site2 The files in the site2 directory are displaying here As can be seen above, an attacker can list all directories on the server. He can also read the source of any file on the server: http://www.vul456.com/index.php?file=../site1/upload/hctd000533.pdf&file=../site2/ configuration.php The source code of the file is displayed 10

The Impact The impact of this vulnerability is that the attacker can execute any arbitrary code on the server potentially taking the complete control of the web server. Recommended Resolutions Secure web hosting settings should be implemented to disallow pages/ scripts in one website to reference/ include files of other co-hosted websites. Such settings will vary according to web server type and other web hosting environment conditions. However, the following core vulnerabilities can be resolved by using secure coding techniques: Public File Upload issue: 1. File upload module should not be publically accessible. If a public file upload module is required, then the uploaded files should be stored in a database and not in the file system. LFI vulnerability: 1. Filenames/ file paths of files to be included during execution should not be passed as a user input from the client side. 2. Proper indexing should be maintained for the files and the file id s can be passed instead of the file names. For example, id=1 instead of file=change.php. About The Authors Utkarsh Bhatt and Anant Kochhar are Information Security Consultants and they have, between them, secured several web applications. They can be reached at utkarsh.bhatt@secureyes.net and anant.kochhar@secureyes.net respectively. 11

About SecurEyes SecurEyes is a Bangalore based firm specializing in IT security. SecurEyes offers a wide range of security services and products to its clients. For more information, please visit our website: http://www.secureyes.net/. 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information