Pluck CMS

sanitize() does not escape backslash

Bug #1056997 reported by Uranium235 on 2012-09-26

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Pluck CMS	Fix Committed	Critical	Uranium235

Bug Description

The function sanitize() in functions.all.php does not escape properly. Backslashes need to be escaped before escaping the single quotes.

Right now it is possible to inject and run php code. I do not know exactly if it is possible for an attacker to exploit the vulnerability without having admin (write) access first in the standard installation. But I imagine that plugins may exist - at least in the future - that use this function and allow non admin users to store information (like a guestbook) and potentially exploit the vulnerability.

Besides that it is possible to break the pluck installation for an admin when using the combination of single quote with an preceding backslash as field value.

Example
save the following to a page in tinymce html mode:
<a href="#" title="\';phpinfo();?>">test</a>

fix:

function sanitize($var, $html = true) {
$var = str_replace('\\', '\\\\', $var);
$var = str_replace('\'', '\\\'', $var);

if ($html == true)
$var = htmlspecialchars($var, ENT_COMPAT, 'UTF-8', false);

return $var;
}

See original description

Related branches

lp://staging/~uranium235/pluck-cms/pluck-cms

Merged into lp://staging/pluck-cms at revision 398

Anders G. Jørgensen: Approve on 2012-11-04

Uranium235 (uranium235) on 2012-09-26

description:

updated

Revision history for this message

Uranium235 (uranium235) wrote on 2012-09-27:

After having had a brief look at the blog module, I think the reactions functionality qualifies for an attack scenario for visitors.

So I think this bug is in fact critical and of utmost importance!

Revision history for this message

Uranium235 (uranium235) wrote on 2012-10-04:

fixed in lp:~uranium235/pluck-cms/pluck-cms

Changed in pluck-cms:
status:	New → Fix Committed

Revision history for this message

Uranium235 (uranium235) wrote on 2012-10-06:

!!! URGENT !!!

Confirmed the vulnerability again.

The blog reactions, which are enabled by default, allow anyone to execute arbitrary PHP code.
e.g. put the following in the message field for the reaction: \';phpinfo();//

Also, this bug can be exploited via CSRF, even if the blog module is not used or reactions disabled.

I haven't gotten any reaction from a team member so far, not even Sander on his private e-mail.

WOULD ANYONE FROM THE TEAM PLEASE AT LEAST LET ME KNOW THAT THIS ISSUE HAS BEEN NOTICED?

Otherwise I have to assume no one is active in this project anymore (given the activity here and on the HP, that's fair to assume) and I will disclose this issue publicly, so that people may be aware and protect themselves.

Anders G. Jørgensen (spirit55555) on 2012-10-06

Changed in pluck-cms:
importance:	Undecided → Critical

Revision history for this message

Anders G. Jørgensen (spirit55555) wrote on 2012-10-06:

Hi Uranium,

While I'm not active in this project anymore, I still read all the mails I get from it. I'm sorry for not replying earlier.

I can see that you have put a lot of work in to it, and since you are the only one currently doing any work on it, I'm going to merge your changes without testing it first, if you can confirm that you have tested it properly.

I can't unfortunately add you to the development team here on launchpad, only Sander the leader can. So for now, I will merge the changes you have, until I can give you permissions for the main branch.

This bug will also require a new release, and that is also something I can not do, because I do not have access to the website.

I will try to get in touch with Sander, so the project can live on.

Regards
Anders G. Jørgensen

Revision history for this message

Uranium235 (uranium235) wrote on 2012-10-06:

Hi Andes,

if you mean to merge the whole branch, not just this bugfix, hold on a second please.

I found 2 issues I introduced with my patches.
The 404 status in index.php is not as I intended and the module_is_included_in_page() needs a regexp now, because I noticed there a parameters possible.

working on that now...

Revision history for this message

Anders G. Jørgensen (spirit55555) wrote on 2012-10-06:

Okay, let me know in merge request when it's all working.

Uranium235 (uranium235) on 2012-12-21

information type:	Private Security → Public Security
Changed in pluck-cms:
assignee:	nobody → Uranium235 (uranium235)

Revision history for this message

Ben Linsey-Bloom (ben-kitserve) wrote on 2013-06-05:

I'd like to contribute to this project but it seems kind of dormant. Has there been any response from the project lead? Is there any way to take things forward without him?

Revision history for this message

Sander (sanderth) wrote on 2013-06-05:

Ben, I'm still the lead of the project, but you're right, it's in a dormant state at the moment. Unfortunately, I don't have time to contribute in any way now or any time in the foreseeable future.

If there are any possibilities though to revitalize the project, I'd welcome your input. It'd be wonderful to see work be continued on this project, as it is still in a very usable and reasonably up-to-date state at the moment.
Let me know!

Revision history for this message

debra colvin (llothcat) wrote on 2013-07-15:

Just confirmed the bug on my test site. I'm working to improve this cute little thing, btw, but this bug is a huge issue.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.