Closed ameerpornillos closed 5 years ago
Thanks for pointing this out. There are probably quite a few installs affected by this.
Another possible fix is to leave the app_key value blank and make the proxy throw an error (and not search) if it is not changed (in the same style that other search related errors are shown, above the URL bar).
Fixed. A preinstalled version of php-proxy that exists here:
https://www.php-proxy.com/download/php-proxy.zip
will no longer include app_key by default, and will have to be generated manually by the user or else they get:
app_key inside config.php cannot be empty!
Brief description of this vulnerability:
Downloadable pre-installed version of PHP-Proxy 5.1.0 (current as of this posting day) from www.php-proxy.com (https://www.php-proxy.com/download/php-proxy.zip) make use of a default app_key wherein can be used for local file inclusion attacks. This can be used to generate encrypted string which can gain access to arbitrary local files in the server. (example: _http://php-proxy-site/php-proxy/index.php?q=_)
Affected Version:
5.1.0 (pre-installed version)
Reason of this vulnerability:
The downloadable pre-installed version of PHP-Proxy 5.1.0 (current pre-installed version as of this posting day) from www.php-proxy.com (https://www.php-proxy.com/download/php-proxy.zip) already contains the default app_key in config.php file which might be used by several users using the application thus is vulnerable to local file inclusion.
Encrypted URL value lies on the app_key as seen on a snippet of code below.
Wherein which the key is the encryption_key and by default, its value depends on the md5 hash of app_key and the visiting IP address.
Combining all the functions above, an encrypted URL can be generated which contains the local file inclusion vulnerability payload.
Proof of Concept:
Code below will output an encrypted string which can exploit the local file inclusion vulnerability. Add the encrypted string on the PHP-Proxy 5.1.0 application URL: example: _http://192.168.0.130/php-proxy/index.php?q=_ (replace with the generated encrypted string value)
Below screenshot is an example of gaining an encrypted URL string within which used to read the C:/xampp/passwords.txt of the server.
Impact:
Gain access to arbitrary local files in the server.
Suggested Mitigation:
There is already a setup.txt included on the downloadable pre-installed version of PHP-Proxy which will generate and overwrite the default app_key, however users most probably don't use it and kept on using the default app_key.
Possible mitigation is make the app_key value in the config.php blank and make users just make use of the setup.txt to generate and overwrite the default app_key.