search

picocms / Pico

Pico is a stupidly simple, blazing fast, flat file CMS.
http://picocms.org/
MIT License
3.81k stars 616 forks source link

Generation of Error Message Containing Sensitive Information in picocms/pico #601

Closed PhrozenByte closed 2 years ago

PhrozenByte commented 2 years ago

Reported by @melbinkm via huntr.dev on 2021-08-23 16:34 CEST

→ Please refer to huntr.dev for the full report

✍️ Description

Internal Server path is disclosed in error message.

🕵️‍♂️ Proof of Concept

Request

GET /pico/?<%00> HTTP/1.1
Referer: http://192.168.65.1:800/pico/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Host: 192.168.65.1:800
Connection: Keep-alive

Response

HTTP/1.1 404 Not Found
Date: Mon, 23 Aug 2021 13:29:05 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29
X-Powered-By: PHP/7.3.29
Content-Length: 4411
Connection: close
Content-Type: text/html; charset=UTF-8

<br />
<b>Warning</b>:  is_dir() expects parameter 1 to be a valid path, string given in <b>C:\xamppp\htdocs\pico\vendor\picocms\pico\lib\Pico.php</b> on line <b>1297</b><br />
<br />
<b>Warning</b>:  is_file() expects parameter 1 to be a valid path, string given in <b>C:\xamppp\htdocs\pico\vendor\picocms\pico\lib\Pico.php</b> on line <b>460</b><br />
<!DOCTYPE html>
<html class="no-js">
<head>

💥 Impact

Full Path Disclosure vulnerability enables an attacker to see the full path of the file and the attacker can utilize this data for misusing some different vulnerability like Local File Inclusion.

📍 Location

index.php#L1

📝 References

PhrozenByte commented 2 years ago

Comment by @PhrozenByte

Whether PHP errors are shown or not is out of Pico's realm and a matter of the webserver's resp. PHP's configuration (i.e. php.ini). These warnings won't show up with PHP's default config for production systems (XAMPP uses the development config by default). I'd rather close this as invalid since it's 1) no issue with Pico and 2) result of a misconfiguration.

PhrozenByte commented 2 years ago

Comment by @melbinkm (Researcher)

Thanks. You're right. Closing issue. 👍

PhrozenByte commented 2 years ago

@melbinkm (Researcher) has invalidated this vulnerability

This is not an application vulnerability.

PhrozenByte commented 2 years ago

Thank you very much for your research @melbinkm! :heart:

I'm disclosing this security report in accordance to our SECURITY.md.