=============================================
INTERNET SECURITY AUDITORS ALERT 2009-003
- Original release date: March 2nd, 2009
- Last revised:  December 17th, 2009
- Discovered by: Juan Galiana Lara
- Severity: 9/10 (CVSS scored)
=============================================

I. VULNERABILITY
-------------------------
QuiXplorer <= 2.4.1beta standalone and as a Mambo/Joomla component
'lang' parameter Remote Code Execution Vulnerability.

II. BACKGROUND
-------------------------
QuiXplorer is a multi-user, web-based file-manager. It allows you to
manage and/or share files over the Internet, or an Intranet.
It's currently available in many languages and with GPL and MPL
licenses and referred in other open source projects.

III. DESCRIPTION
-------------------------
QuiXplorer is prone to a local file include and directory traversal
vulnerability because the application fails to sufficiently sanitize
user-supplied input. The parameter 'lang' is not properly sanitized.
Since the application allows to upload files to the server could be
combined with previous vulnerabilities to allow an attacker to execute
arbitrary code remotely in the context of the webserver. This may aid
in launching further attacks.

In order to perform the attack, an attacker could upload a PHP
malicious code (upload action is allowed by the application), then
exploit a bug to know the full path to the local file recently
uploaded (if 'display_errors' directive is set to On) and then include
it exploiting the local file include and directory traversal flaw
(using ../../path/to/file) to finally execute the PHP code.
Successfully exploitation of this flaw may aid in the compromise of
the server in the context of the webserver.

IV. PROOF OF CONCEPT
-------------------------
Here is the affected code:

 80 // Get Language
 81
if(isset($GLOBALS['__GET']["lang"]))$GLOBALS["lang"]=$GLOBALS['__GET']["lang"];
 82
elseif(isset($GLOBALS['__POST']["lang"]))$GLOBALS["lang"]=$GLOBALS['__POST']["lang"];
 83
//------------------------------------------------------------------------------
 84 // Necessary files
 85 ob_start(); // prevent unwanted output
 86 require "./.config/conf.php";
 87 if(isset($GLOBALS["lang"])) $GLOBALS["language"]=$GLOBALS["lang"];
 88 require "./_lang/".$GLOBALS["language"].".php";        <----- HERE
 89 require "./_lang/".$GLOBALS["language"]."_mimes.php";  <----- HERE

Here is a poc:
PoC: http://site/path/?lang=../path/to/malicious_uploaded_code

Exploiting this bug is possible to include PHP files, allowing to
execute any arbitrary code code he want.
Also is possible to hide the crafted parameters data including it
through POST method, making detection more difficult to site
administrator.

About the full path disclosure, if the webserver has the show_errors
directive set to 'On', try:

http://site/path/?lang=no_exists

And the application return:

Warning: require(./_lang/no_exists.php) [function.require]: failed to
open stream: No such file or directory in
/var/www/quix/.include/init.php on line 88
Fatal error: require() [function.require]: Failed opening required
'./_lang/no_exists.php'
(include_path='.:/usr/share/php:/usr/share/pear') in
/var/www/quix/.include/init.php on line 88

Revealing the path to the home directory of the filemanager

V. BUSINESS IMPACT
-------------------------
An attacker could view any file or execute arbitrary code remotely
into the context of the webserver.

VI. SYSTEMS AFFECTED
-------------------------
All version of QuiXplorer are affected.
At the moment <= 2.4.1beta.

VII. SOLUTION
-------------------------
As developers give no response we add the mitigation for its solution.
To patch only change this lines...

From:
 81 if(isset($GLOBALS['__GET']["lang"]))
$GLOBALS["lang"]=$GLOBALS['__GET']["lang"];
 82 elseif(isset($GLOBALS['__POST']["lang"]))
$GLOBALS["lang"]=$GLOBALS['__POST']["lang"];

To:
 81 if(isset($GLOBALS['__GET']["lang"]))
$GLOBALS["lang"]=basename($GLOBALS['__GET']["lang"]);
 82 elseif(isset($GLOBALS['__POST']["lang"]))
$GLOBALS["lang"]=basename($GLOBALS['__POST']["lang"]);

Parsing the parameters with basename() function the flaw its fixed.

And to prevent the full path disclosure...

From:
 88 require "./_lang/".$GLOBALS["language"].".php";
 89 require "./_lang/".$GLOBALS["language"]."_mimes.php";

To:
 88 if(file_exists("./_lang/".$GLOBALS["language"].".php")) require
"./_lang/".$GLOBALS["language"].".php";
 89 else require "./_lang/en.php";
 90 if(file_exists("./_lang/".$GLOBALS["language"]."_mimes.php"))
require "./_lang/".$GLOBALS["language"]."_mimes.php";
 91 else require "./_lang/en_mimes.php";

VIII. REFERENCES
-------------------------
http://sourceforge.net/projects/quixplorer/
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
March    02, 2009: Initial release.
December 17, 2009: Last revision.

XI. DISCLOSURE TIMELINE
-------------------------
March    02, 2009: Vulnerability acquired by
                   Internet Security Auditors (www.isecauditors.com)
March    03, 2009: QuiXplorer contacted. No answer.
December 13, 2009: QuiXplorer contacted again. No answer.
December 17, 2009: Sent to lists with remediation proposal.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.