CSRF, Authentication Bypass & RCE in GuppY

135.1k
7
17
30
7
More
5
15

Advisory ID:	HTB23299
Product:	GuppY
Vendor:	GuppY
Vulnerable Versions:	5.01 and probably prior
Tested Version:	5.01
Advisory Publication:	March 2, 2016 [without technical details]
Vendor Notification:	March 2, 2016
Public Disclosure:	September 26, 2018
Vulnerability Type:	Cross-Site Request Forgery [CWE-352] Improper Authentication [CWE-287]
CVE Reference:	Pending
Risk Level:	High

CVSSv2 Base Scores:	4.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L] 8.3 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H]
Discovered and Provided:	High-Tech Bridge Security Research Lab
Advisory Details:
High-Tech Bridge Security Research Lab discovered two vulnerabilities in open web portal software GuppY. A remote attacker can delete arbitrary files, bypass authentication and execute arbitrary file on vulnerable system. 1) Cross-Site Request Forgery in GuppY The vulnerability exists due to insufficient validation of HTTP request origin, when deleting local files. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request, as if it was coming from the legitimate user, and delete arbitrary file on the system. A simple exploit below will delete file "/admin/mdp.php", which contains administrator's password. To reproduce the vulnerability, log in to the website with administrative credentials, copy-paste the code below into an empty HTML file and open it in your browser: <form action="http://[host]/admin/admin.php?lng=en&pg=upload" method="POST"> <input type="hidden" name="rep" value="file" /> <input type="hidden" name="del" value="../admin/mdp.php" /> <input type="submit" value="Submit request" /> </form> 2) Improper Authentication in GuppY The vulnerability exists due to incorrectly implemented authentication mechanisms, when "/admin/mdp.php" file is absent on the system. A remote attacker can bypass authentication by setting "GuppYAdmin" cookie parameter to value "-2111096325\|\|" and upload arbitrary PHP file using the "/admin/editors/upload/upload.php" script. Successful exploitation of this vulnerability requires, that "/admin/mdp.php" is deleted from the system (see vulnerability #1). Below is a dump of HTTP GET request, that can be used to bypass authentication process and get access to upload form: GET /admin/editors/upload/upload.php?namerepconfig=1 HTTP/1.1 Host: [host] Accept-Language: en-US Accept-Encoding: gzip, deflate Cookie: GuppYAdmin=-2111096325\|\|; Connection: close Once the attacker has access to upload form, it is possible to upload and execute arbitrary PHP file on the system with privileges of the web server.
Solution:
Vendor notified, awaiting vendor solution.

References:
[1] High-Tech Bridge Advisory HTB23299 - https://www.immuniweb.com/advisory/HTB23299 - CSRF, Authentication Bypass & RCE in GuppY [2] GuppY - http://www.freeguppy.org - GuppY: the easy and free web portal that requires no database to run [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - Leveraging the power of machine-learning and genius of human brain to deliver the most advanced web application security and penetration testing. [5] ImmuniWeb® SSLScan - Test your servers for security and compliance with PCI DSS, HIPAA and NIST.

Related Security Advisories: HTB23176: Cross-Site Scripting (XSS) in GuppY

Previous Security Advisories with CWE-287:

HTB23289: SSO Authentication Bypass and Website Takeover in DOKEOS

HTB23192: Improper Authentication in Burden

135.1k
7
17
30
7
More
5
15

Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.