Home page logo
/

bugtraq logo Bugtraq mailing list archives

Dolphin <= 7.0.7 (member_menu_queries.php) Remote PHP Code Injection
From: n0b0d13s () gmail com
Date: Tue, 18 Oct 2011 12:58:24 GMT


--------------------------------------------------------------------
Dolphin <= 7.0.7 (member_menu_queries.php) Remote PHP Code Injection
--------------------------------------------------------------------

author...............: EgiX
mail.................: n0b0d13s[at]gmail[dot]com
software link........: http://www.boonex.com/dolphin
affected versions....: from 7.0.0 to 7.0.7
   
[-] vulnerable code in /member_menu_queries.php

61.                case 'get_bubbles_values' :
62.                    $sBubbles = ( isset($_GET['bubbles']) ) ?  $_GET['bubbles'] : null;
63.                    if ( $sBubbles && $iMemberId ) {
64.    
65.                        $aMemberInfo  = getProfileInfo($iMemberId);
66.                        if($aMemberInfo['UserStatus'] != 'offline') {
67.                            // update the date of last navigate;
68.                            update_date_lastnav($iMemberId);
69.                        }
70.    
71.                        $aBubbles = array();
72.                        $aBubblesItems = explode(',', $sBubbles);
73.    
74.                        if ( $aBubblesItems && is_array($aBubblesItems) ) {
75.                            $bClearCache = false;
76.                            foreach( $aBubblesItems as $sValue)
77.                            {
78.                                $aItem   = explode(':', $sValue);
79.    
80.                                $sBubbleCode = null;
81.                                foreach($aMenuStructure as $sKey => $aItems)
82.                                {
83.                                    foreach($aItems as $iKey => $aSubItems)
84.                                    {
85.                                        if( $aSubItems['Name'] == $aItem[0]) {
86.                                            $sBubbleCode = $aSubItems['Bubble'];
87.                                            break;
88.                                        }
89.                                    }
90.    
91.                                    if ($sBubbleCode) {
92.                                        break;
93.                                    }
94.                                }
95.    
96.                                if ($sBubbleCode) {
97.                                    $sCode  = str_replace('{iOldCount}', $aItem[1], $sBubbleCode);
98.                                    $sCode  = str_replace('{ID}', $iMemberId, $sCode);
99.    
100.                                   eval($sCode);

When handling 'get_bubbles_values' action, input passed through $_GET['bubbles'] isn't properly sanitized
before being used in a call to eval() at line 100, this can be exploited to inject arbitrary PHP code.
Successful exploitation of this vulnerability requires authentication, but is always possible to create a
new account also if 'REGISTRATION BY INVITATION ONLY' is enabled, in this case an attacker could bypass
the restriction visiting first /index.php?idFriend=1 and after point to /join.php for a new registration.


[-] Disclosure timeline:

[25/09/2011] - Vulnerability discovered
[26/09/2011] - Issue reported to http://www.boonex.com/forums/topic/PHP-Code-Injection.htm
[26/09/2011] - A moderator hide the topic
[29/09/2011] - Vendor contacted again through http://www.boonex.com/help/contact
[04/10/2011] - Vendor replied that there is a designated place for this kind of report: "Dolphin Bug Reports" forum
[04/10/2011] - I replied that I've already posted in this forum, but the topic has been hidden
[05/10/2011] - Vendor reply: "It may has been hidden because it WASN'T posted in the proper place"
[05/10/2011] - My reply: "It has been hidden for security reason, the moderator told me to report the issue through 
http://www.boonex.com/help/contact";
[08/10/2011] - Vendor replied that a patch will be released as soon as possible
[13/10/2011] - Vendor update released: http://www.boonex.com/n/dolphin-7-0-8-beta-1
[18/10/2011] - Public disclosure


[-] Prroof of concept:

http://www.exploit-db.com/exploits/17994/


  By Date           By Thread  

Current thread:
  • Dolphin <= 7.0.7 (member_menu_queries.php) Remote PHP Code Injection n0b0d13s (Oct 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault