CSRF, Authentication Bypass & RCE in GuppY
|Vulnerable Versions:||5.01 and probably prior|
|Advisory Publication:||March 2, 2016 [without technical details]|
|Vendor Notification:||March 2, 2016 |
|Public Disclosure:||September 26, 2018 |
|Vulnerability Type:||Cross-Site Request Forgery [CWE-352]|
Improper Authentication [CWE-287]
|Risk Level:||High |
|CVSSv3 Base Scores:||4.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L]|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab discovered two vulnerabilities in open web portal software GuppY. A remote attacker can delete arbitrary files, bypass authentication and execute arbitrary file on vulnerable system.
1) Cross-Site Request Forgery in GuppY
The vulnerability exists due to insufficient validation of HTTP request origin, when deleting local files. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request, as if it was coming from the legitimate user, and delete arbitrary file on the system.
A simple exploit below will delete file "/admin/mdp.php", which contains administrator's password. To reproduce the vulnerability, log in to the website with administrative credentials, copy-paste the code below into an empty HTML file and open it in your browser:
<form action="http://[host]/admin/admin.php?lng=en&pg=upload" method="POST">
<input type="hidden" name="rep" value="file" />
<input type="hidden" name="del" value="../admin/mdp.php" />
<input type="submit" value="Submit request" />
2) Improper Authentication in GuppY
The vulnerability exists due to incorrectly implemented authentication mechanisms, when "/admin/mdp.php" file is absent on the system. A remote attacker can bypass authentication by setting "GuppYAdmin" cookie parameter to value "-2111096325||" and upload arbitrary PHP file using the "/admin/editors/upload/upload.php" script.
Successful exploitation of this vulnerability requires, that "/admin/mdp.php" is deleted from the system (see vulnerability #1).
Below is a dump of HTTP GET request, that can be used to bypass authentication process and get access to upload form:
GET /admin/editors/upload/upload.php?namerepconfig=1 HTTP/1.1
Accept-Encoding: gzip, deflate
Once the attacker has access to upload form, it is possible to upload and execute arbitrary PHP file on the system with privileges of the web server.
|Vendor notified, awaiting vendor solution.|
| High-Tech Bridge Advisory HTB23299 - https://www.htbridge.com/advisory/HTB23299 - CSRF, Authentication Bypass & RCE in GuppY|
 GuppY - http://www.freeguppy.org - GuppY: the easy and free web portal that requires no database to run
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
 ImmuniWeb® - Leveraging the power of machine-learning and genius of human brain to deliver the most advanced web application security and penetration testing.
 ImmuniWeb® SSLScan - Test your servers for security and compliance with PCI DSS, HIPAA and NIST.
Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.