nicktze
commented
6 years ago I can confirm that multiple parameters are affected by this vulnerability. Besides database_username, the parameters database_host and database_password are suspectible for PHP code injection.
USE CVE-2017-9771
The attacker can change the content of configuration file and constructing the database_username And many other parameters to replace the DB_USERNAME of the configuration file with malicious code. So attacker can run malicious command remotely.
code: $debug = false;
if (true === $debug) { ini_set('display_errors', 1); error_reporting(E_ALL); } // Start a session if (!defined('SESSION_STARTED')) { session_name('wb-installer'); session_start(); define('SESSION_STARTED', true); } // get random-part for session_name() list($usec,$sec) = explode(' ',microtime()); srand((float)$sec+((float)$usec*100000)); $session_rand = rand(1000,9999);
// Function to set error function set_error($message, $field_name = '') { // global $_POST; if (isset($message) AND $message != '') { // Copy values entered into session so user doesn't have to re-enter everything if (isset($_POST['website_title'])) { $_SESSION['wb_url'] = $_POST['wb_url']; $_SESSION['default_timezone'] = $_POST['default_timezone']; $_SESSION['default_language'] = $_POST['default_language']; if (!isset($_POST['operating_system'])) { $_SESSION['operating_system'] = 'linux'; } else { $_SESSION['operating_system'] = $_POST['operating_system']; } if (!isset($_POST['world_writeable'])) { $_SESSION['world_writeable'] = false; } else { $_SESSION['world_writeable'] = true; } $_SESSION['database_host'] = $_POST['database_host']; $_SESSION['database_username'] = $_POST['database_username']; $_SESSION['database_password'] = $_POST['database_password']; $_SESSION['database_name'] = $_POST['database_name']; $_SESSION['table_prefix'] = $_POST['table_prefix']; if (!isset($_POST['install_tables'])) { $_SESSION['install_tables'] = false; } else { $_SESSION['install_tables'] = true; } $_SESSION['website_title'] = $_POST['website_title']; $_SESSION['admin_username'] = $_POST['admin_username']; $_SESSION['admin_email'] = $_POST['admin_email']; $_SESSION['admin_password'] = $_POST['admin_password']; $_SESSION['admin_repassword'] = $_POST['admin_repassword']; } // Set the message $_SESSION['message'] = $message; // Set the element(s) to highlight if ($field_name != '') { $_SESSION['ERROR_FIELD'] = $field_name; } // Specify that session support is enabled $_SESSION['session_support'] = 'Enabled'; // Redirect to first page again and exit header('Location: index.php?sessions_checked=true'); exit(); } } / /
// Function to workout what the default permissions are for files created by the webserver function default_file_mode($temp_dir) { if (version_compare(PHP_VERSION, '5.3.6', '>=') && is_writable($temp_dir)) { $filename = $temp_dir.'/test_permissions.txt'; $handle = fopen($filename, 'w'); fwrite($handle, 'This file is to get the default file permissions'); fclose($handle); $default_file_mode = '0'.substr(sprintf('%o', fileperms($filename)), -3); unlink($filename); } else { $default_file_mode = '0777'; } return $default_file_mode; }
// Function to workout what the default permissions are for directories created by the webserver function default_dir_mode($temp_dir) { if (version_compare(PHP_VERSION, '5.3.6', '>=') && is_writable($temp_dir)) { $dirname = $temp_dir.'/test_permissions/'; mkdir($dirname); $default_dir_mode = '0'.substr(sprintf('%o', fileperms($dirname)), -3); rmdir($dirname); } else { $default_dir_mode = '0777'; } return $default_dir_mode; }
function add_slashes($input) { if (get_magic_quotes_gpc() || ( !is_string($input) )) { return $input; } $output = addslashes($input); return $output; }
// Begin check to see if form was even submitted // Set error if no post vars found if (!isset($_POST['website_title'])) { set_error('Please fill-in the form below'); } // End check to see if form was even submitted
// Begin path and timezone details code
// Check if user has entered the installation url if (!isset($_POST['wb_url']) OR $_POST['wb_url'] == '') { set_error('Please enter an absolute URL', 'wb_url'); } else { $wb_url = $_POST['wb_url']; } // Remove any slashes at the end of the URL $wb_url = rtrim($wb_url, '\/'); // Get the default time zone if (!isset($_POST['default_timezone']) OR !is_numeric($_POST['default_timezone'])) { set_error('Please select a valid default timezone', 'default_timezone'); } else { $default_timezone = $_POST['default_timezone']6060; } // End path and timezone details code
// Get the default language $sLangDir = str_replace('\', '/', dirname(dirname(FILE)).'/languages/'); $allowed_languages = preg_replace('/^.*\/([A-Z]{2}).php$/iU', '\1', glob($sLangDir.'??.php')); if (!isset($_POST['default_language']) OR !in_array($_POST['default_language'], $allowed_languages)) { set_error('Please select a valid default backend language','default_language'); } else { $default_language = $_POST['default_language']; // make sure the selected language file exists in the language folder if (!file_exists('../languages/' .$default_language .'.php')) { set_error('The language file: \'' .$default_language .'.php\' is missing. Upload file to language folder or choose another language','default_language'); } } // End default language details code
// Begin operating system specific code // Get operating system if (!isset($_POST['operating_system']) OR $_POST['operating_system'] != 'linux' AND $_POST['operating_system'] != 'windows') { set_error('Please select a valid operating system'); } else { $operating_system = $_POST['operating_system']; } // Work-out file permissions if ($operating_system == 'windows') { $file_mode = '0666'; $dir_mode = '0777'; } elseif (isset($_POST['world_writeable']) AND $_POST['world_writeable'] == 'true') { $file_mode = '0666'; $dir_mode = '0777'; } else { $file_mode = default_file_mode('../temp'); $dir_mode = default_dir_mode('../temp'); } // End operating system specific code
// Begin database details code // Check if user has entered a database host if (!isset($_POST['database_host']) OR $_POST['database_host'] == '') { set_error('Please enter a database host name', 'database_host'); } else { $database_host = trim($_POST['database_host']); } // extract port if available if (isset($database_port)) { unset($database_port); } $aMatches = preg_split('/:/s', $database_host, -1, PREG_SPLIT_NO_EMPTY); $database_host = $aMatches[0]; $database_port = (isset($aMatches[1]) ? (int)$aMatches[1] : ini_get('mysqli.default_port'));
// Check if user has entered a database username if (!isset($_POST['database_username']) OR $_POST['database_username'] == '') { set_error('Please enter a database username','database_username'); } else { $database_username = $_POST['database_username']; } // Check if user has entered a database password if (!isset($_POST['database_password'])) { set_error('Please enter a database password', 'database_password'); } else { $database_password = $_POST['database_password']; } // Check if user has entered a database name if (!isset($_POST['database_name']) OR $_POST['database_name'] == '') { set_error('Please enter a database name', 'database_name'); } else { // make sure only allowed characters are specified if(pregmatch('/[^a-z0-9-]+/i', $_POST['databasename'])) { // contains invalid characters (only a-z, A-Z, 0-9 and allowed to avoid problems with table/field names) seterror('Only characters a-z, A-Z, 0-9, - and allowed in database name.', 'database_name'); } $database_name = $_POST['database_name']; } // Get table prefix if (pregmatch('/[^a-z0-9]+/i', $_POST['tableprefix'])) { // contains invalid characters (only a-z, A-Z, 0-9 and allowed to avoid problems with table/field names) seterror('Only characters a-z, A-Z, 0-9 and allowed in table_prefix.', 'table_prefix'); } else { $table_prefix = $_POST['table_prefix']; }
$install_tables = true; // Begin website title code // Get website title if (!isset($_POST['website_title']) OR $_POST['website_title'] == '') { set_error('Please enter a website title', 'website_title'); } else { $website_title = add_slashes($_POST['website_title']); } // End website title code
// Begin admin user details code $sClientIp = ''; // Get admin username if (!isset($_POST['admin_username']) OR $_POST['admin_username'] == '') { set_error('Please enter a username for the Administrator account','admin_username'); } else { $admin_username = $_POST['admin_username']; $sClientIp = (isset($_SERVER['REMOTE_ADDR'])) ? $_SERVER['REMOTE_ADDR'] : '000.000.000.000'; $iClientIp = ip2long($sClientIp); $sClientIp = long2ip(($iClientIp & ~65535));
} // Get admin email and validate it if (!isset($_POST['admin_email']) OR $_POST['admin_email'] == '') { set_error('Please enter an email for the Administrator account','admin_email'); } else { if(preg_match('/^[_a-z0-9-]+(.[_a-z0-9-]+)@[a-z0-9-]+(.[a-z0-9-]+)(.[a-z]{2,4})$/i', $_POST['admin_email'])) { $admin_email = $_POST['admin_email']; } else { set_error('Please enter a valid email address for the Administrator account','admin_email'); } } // Get the two admin passwords entered, and check that they match if (!isset($_POST['admin_password']) OR $_POST['admin_password'] == '') { set_error('Please enter a password for the Administrator account','admin_password'); } else { $admin_password = $_POST['admin_password']; } if (!isset($_POST['admin_repassword']) OR $_POST['admin_repassword'] == '') { set_error('Please make sure you re-enter the password for the Administrator account','admin_repassword'); } else { $admin_repassword = $_POST['admin_repassword']; } if ($admin_password != $admin_repassword) { set_error('Sorry, the two Administrator account passwords you entered do not match','admin_repassword'); }
$database_charset = 'utf8'; // End admin user details code
$getNewVersion = function () { $sVersionFile = file_get_contents(dirname(DIR).'/admin/interface/version.php'); $sPattern = '=define\s(\'VERSION\'\,\s\'([^\']*)\'=is'; $sVersion = ((preg_match($sPattern, $sVersionFile, $aMatches)) ? $aMatches[1] : '???'); return $sVersion; }; // build name and content of the config file $sFileMarker = ' auto generated config file for '.$getNewVersion(); $config_filename = dirname(dirname(FILE)).'/config.php'; $config_content = '<?php'."\n" . '/'."\n" . ' '.$sFileMarker."\n" . ' ** WebsiteBaker '.$getNewVersion()."\n" . ' created at '.date('Y-m-d h:i:s e')."\n" . ' */'."\n" . '// define(\'DEBUG\', false);'."\n" . 'define(\'DB_TYPE\', \'mysqli\');'."\n" . 'define(\'DB_HOST\', \''.$database_host.'\');'."\n" . 'define(\'DB_PORT\', \''.sprintf('%04d', $database_port).'\');'."\n" . 'define(\'DB_NAME\', \''.$database_name.'\');'."\n" . 'define(\'DB_USERNAME\', \''.$database_username.'\');'."\n" . 'define(\'DB_PASSWORD\', \''.$database_password.'\');'."\n" . 'define(\'DB_CHARSET\', \''.$database_charset.'\');'."\n" . 'define(\'TABLE_PREFIX\', \''.$table_prefix.'\');'."\n" . "\n" . 'define(\'WB_URL\', \''.$wb_url.'\'); ' . '// no trailing slash or backslash!!'."\n" . 'define(\'ADMIN_DIRECTORY\', \'admin\'); ' . '// no leading/trailing slash or backslash!! A simple directory name only!!'."\n"; unset($getNewVersion); // Check if the file exists and is writable first. $sMsg = ''; if (is_writable($config_filename)) { // try to write file if (file_put_contents($config_filename, $config_content) === false) { $sMsg = 'Cannot write to the configuration file <'.$config_filename.'>'; } } else { $sMsg = 'The configuration file <'.$config_filename.'> is missing or not writable.
' . 'Change its permissions so it is, then re-run step 4.'; } if ($sMsg) { set_error($sMsg); } // if something gone wrong, break with message // include config file to set constants include_once($config_filename); // now we can complete the config file $config_content = "\n".'require_once DIR.\'/framework/initialize.php\';'."\n" . '// --- end of file ----------------------------------'."\n"; // no errorhandling needed. 15 lines before we already wrote to this file successful! file_put_contents($config_filename, $config_content, FILE_APPEND);
// Define additional configuration constants define('WB_PATH', dirname(dirname(FILE))); define('ADMIN_PATH', WB_PATH.'/'.ADMIN_DIRECTORY); define('ADMIN_URL', WB_URL.'/'.ADMIN_DIRECTORY); require(ADMIN_PATH.'/interface/version.php'); // *** initialize Exception handling if(!function_exists('globalExceptionHandler')) { include(WB_PATH.'/framework/globalExceptionHandler.php'); }
// Try connecting to database if (!file_exists(WB_PATH.'/framework/class.database.php')) { set_error('It appears the Absolute path that you entered is incorrect or file \'class.database.php\' is missing!'); } include(WB_PATH.'/framework/class.database.php'); try { $database = new database(); } catch (DatabaseException $e) { $sMsg = 'Database host name, username and/or password incorrect.
MySQL Error:
' . $e->getMessage(); set_error($sMsg); } if (!defined('WB_INSTALL_PROCESS')) { define ('WB_INSTALL_PROCESS', true); }
/ Begin Create Database Tables / $sInstallDir = dirname(FILE); if (is_readable($sInstallDir.'/install-struct.sql')) { if (! $database->SqlImport($sInstallDir.'/install-struct.sql', TABLE_PREFIX, false)) { set_error('unable to import \'install/install-struct.sql\''); } } else { set_error('unable to read file \'install/install-struct.sql\''); } if (is_readable($sInstallDir.'/install-data.sql')) { if (! $database->SqlImport($sInstallDir.'/install-data.sql', TABLE_PREFIX, false )) { set_error('unable to import \'install/install-data.sql\''); } } else { set_error('unable to read file \'install/install-data.sql\''); } $sql = // add settings from install input 'INSERT INTO
'.TABLE_PREFIX.'settings(name,value) VALUES ' .'(\'wb_version\', \''.VERSION.'\'),' .'(\'wb_revision\', \''.REVISION.'\'),' .'(\'wb_sp\', \''.SP.'\'),' .'(\'website_title\', \''.$website_title.'\'),' .'(\'default_language\', \''.$default_language.'\'),' .'(\'app_name\', \'wb-'.$session_rand.'\'),' .'(\'default_timezone\', \''.$default_timezone.'\'),' .'(\'operating_system\', \''.$operating_system.'\'),' .'(\'string_dir_mode\', \''.$dir_mode.'\'),' .'(\'string_file_mode\', \''.$file_mode.'\'),' .'(\'server_email\', \''.$admin_email.'\')'; if (! ($database->query($sql))) { $msg = $database->get_error(); set_error('unable to write \'install presets\' into table \'settings\''.$msg); }
$sql = // add the Admin user 'INSERT INTO
'.TABLE_PREFIX.'usersSET ' . 'group_id=1, ' . 'groups_id=\'1\', ' . 'active=\'1\', ' . 'username=\''.$admin_username.'\', ' . 'password=\''.md5($admin_password).'\', ' . 'remember_key=\'\', ' . 'last_reset=0, ' . 'display_name=\'Administrator\', ' . 'email=\''.$admin_email.'\', ' . 'timezone=\''.$default_timezone.'\', ' . 'date_format=\'M d Y\', ' . 'time_format=\'g:i A\', ' . 'language=\''.$default_language.'\', ' . 'home_folder=\'\', ' . 'login_when=\''.time().'\', ' . 'login_ip=\''.$sClientIp.'\' ' . ''; if (! ($database->query($sql))) { set_error('unable to write Administrator account into table \'users\''); } /** END OF TABLES IMPORT **/// initialize the system include(WB_PATH.'/framework/initialize.php');
//$sSecMod = (defined('SECURE_FORM_MODULE') && SECURE_FORM_MODULE != '') ? '.'.SECURE_FORM_MODULE : ''; //$sSecMod = WB_PATH.'/framework/SecureForm'.$sSecMod.'.php'; //require_once($sSecMod);
require_once(WB_PATH.'/framework/class.admin.php'); / // Dummy class to allow modules' install scripts to call $admin->print_error / class admin_dummy extends admin { public $error=''; public function print_error($message, $link = 'index.php', $auto_footer = true) { $this->error=$message; } }
// Include WB functions file require_once(WB_PATH.'/framework/functions.php');
require_once(WB_PATH.'/framework/Login.php'); // Include the PclZip class file (thanks to require_once(WB_PATH.'/include/pclzip/pclzip.lib.php');
$admin = new admin_dummy('Start','',false,false);
// Load addons into DB $dirs['modules'] = WB_PATH.'/modules/'; $dirs['templates'] = WB_PATH.'/templates/'; $dirs['languages'] = WB_PATH.'/languages/';
foreach ($dirs as $type => $dir) { if ($handle = opendir($dir)) { while (false !== ($file = readdir($handle))) { if ($file != '' AND substr($file, 0, 1) != '.' AND $file != 'admin.php' AND $file != 'index.php') { // Get addon type if ($type == 'modules') { load_module($dir.'/'.$file, true); // Pretty ugly hack to let modules run $admin->set_error // See dummy class definition admin_dummy above if ($admin->error!='') { set_error($admin->error); } } elseif ($type == 'templates') { load_template($dir.'/'.$file); } elseif ($type == 'languages') { load_language($dir.'/'.$file); } } } closedir($handle); } } // Check if there was a database error if ($database->is_error()) { set_error($database->get_error()); }
$ThemeUrl = WB_URL.$admin->correct_theme_source('warning.html'); // Setup template object, parse vars to it, then parse it $ThemePath = realpath(WB_PATH.$admin->correct_theme_source('login.htt'));
// Log the user in and go to Website Baker Administration $thisApp = new Login( array( "MAX_ATTEMPS" => "50", "WARNING_URL" => $ThemeUrl."/warning.html", "USERNAME_FIELDNAME" => 'admin_username', "PASSWORD_FIELDNAME" => 'admin_password', "REMEMBER_ME_OPTION" => false, "MIN_USERNAME_LEN" => "2", "MIN_PASSWORD_LEN" => "3", "MAX_USERNAME_LEN" => "30", "MAX_PASSWORD_LEN" => "30", 'LOGIN_URL' => ADMIN_URL."/login/index.php", 'DEFAULT_URL' => ADMIN_URL."/start/index.php", 'TEMPLATE_DIR' => $ThemePath, 'TEMPLATE_FILE' => 'login.htt', 'FRONTEND' => false, 'FORGOTTEN_DETAILS_APP' => ADMIN_URL."/login/forgot/index.php", 'USERS_TABLE' => TABLE_PREFIX."users", 'GROUPS_TABLE' => TABLE_PREFIX."groups", ) );