Pluck CMS

sanitize() does not escape backslash

Bug #1056997 reported by Uranium235
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Pluck CMS
Fix Committed
Critical
Uranium235

Bug Description

The function sanitize() in functions.all.php does not escape properly. Backslashes need to be escaped before escaping the single quotes.

Right now it is possible to inject and run php code. I do not know exactly if it is possible for an attacker to exploit the vulnerability without having admin (write) access first in the standard installation. But I imagine that plugins may exist - at least in the future - that use this function and allow non admin users to store information (like a guestbook) and potentially exploit the vulnerability.

Besides that it is possible to break the pluck installation for an admin when using the combination of single quote with an preceding backslash as field value.

Example
save the following to a page in tinymce html mode:
<a href="#" title="\';phpinfo();?>">test</a>

fix:

function sanitize($var, $html = true) {
 $var = str_replace('\\', '\\\\', $var);
 $var = str_replace('\'', '\\\'', $var);

 if ($html == true)
  $var = htmlspecialchars($var, ENT_COMPAT, 'UTF-8', false);

 return $var;
}

See original description

Related branches

lp:~uranium235/pluck-cms/pluck-cms
Anders G. Jørgensen: Approve
Diff: 72 lines (+14/-10)
3 files modified
data/inc/editpage.php (+8/-7)
data/inc/functions.admin.php (+4/-1)
data/inc/functions.all.php (+2/-2)
Uranium235 (uranium235)
description: updated
Revision history for this message
Uranium235 (uranium235) wrote :

After having had a brief look at the blog module, I think the reactions functionality qualifies for an attack scenario for visitors.

So I think this bug is in fact critical and of utmost importance!

Revision history for this message
Uranium235 (uranium235) wrote :

fixed in lp:~uranium235/pluck-cms/pluck-cms

Changed in pluck-cms:
status: New → Fix Committed
Revision history for this message
Uranium235 (uranium235) wrote :

!!! URGENT !!!

Confirmed the vulnerability again.

The blog reactions, which are enabled by default, allow anyone to execute arbitrary PHP code.
e.g. put the following in the message field for the reaction: \';phpinfo();//

Also, this bug can be exploited via CSRF, even if the blog module is not used or reactions disabled.

I haven't gotten any reaction from a team member so far, not even Sander on his private e-mail.

WOULD ANYONE FROM THE TEAM PLEASE AT LEAST LET ME KNOW THAT THIS ISSUE HAS BEEN NOTICED?

Otherwise I have to assume no one is active in this project anymore (given the activity here and on the HP, that's fair to assume) and I will disclose this issue publicly, so that people may be aware and protect themselves.

Anders G. Jørgensen (spirit55555)
Changed in pluck-cms:
importance: Undecided → Critical
Revision history for this message
Anders G. Jørgensen (spirit55555) wrote :

Hi Uranium,

While I'm not active in this project anymore, I still read all the mails I get from it. I'm sorry for not replying earlier.

I can see that you have put a lot of work in to it, and since you are the only one currently doing any work on it, I'm going to merge your changes without testing it first, if you can confirm that you have tested it properly.

I can't unfortunately add you to the development team here on launchpad, only Sander the leader can. So for now, I will merge the changes you have, until I can give you permissions for the main branch.

This bug will also require a new release, and that is also something I can not do, because I do not have access to the website.

I will try to get in touch with Sander, so the project can live on.

Regards
Anders G. Jørgensen

Revision history for this message
Uranium235 (uranium235) wrote :

Hi Andes,

if you mean to merge the whole branch, not just this bugfix, hold on a second please.

I found 2 issues I introduced with my patches.
The 404 status in index.php is not as I intended and the module_is_included_in_page() needs a regexp now, because I noticed there a parameters possible.

working on that now...

Revision history for this message
Anders G. Jørgensen (spirit55555) wrote :

Okay, let me know in merge request when it's all working.

Uranium235 (uranium235)
information type: Private Security → Public Security
Changed in pluck-cms:
assignee: nobody → Uranium235 (uranium235)
Revision history for this message
Ben Linsey-Bloom (ben-kitserve) wrote :

I'd like to contribute to this project but it seems kind of dormant. Has there been any response from the project lead? Is there any way to take things forward without him?

Revision history for this message
Sander (sanderth) wrote :

Ben, I'm still the lead of the project, but you're right, it's in a dormant state at the moment. Unfortunately, I don't have time to contribute in any way now or any time in the foreseeable future.

If there are any possibilities though to revitalize the project, I'd welcome your input. It'd be wonderful to see work be continued on this project, as it is still in a very usable and reasonably up-to-date state at the moment.
Let me know!

Revision history for this message
debra colvin (llothcat) wrote :

Just confirmed the bug on my test site. I'm working to improve this cute little thing, btw, but this bug is a huge issue.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.