Exploit found: Jumi script file location shown using $2

A multipurpose module, plugin and component

Exploit found: Jumi script file location shown using $2

New postby slagathor » Fri Jan 13, 2012 11:51 am

I've recently found an exploit in Jumi that I find to be a bit disturbing. If you load a php-driven form that uses $_POST values to pre-populate the form fields, and load this file with Jumi into an article using the plugin tag as such:

{jumi [path/to/script.php]}

then any user can discover the location of the source file by simply placing '$2' into one of the form fields. Unless you add specific search/replace code for $1 and $2 when processing the user input data, $1 will be replaced with 'jumi' and $2 will be replaced with '[path/to/script.php]'.

For example, try putting the sample code into a file and loading it into an article with the Jumi plugin to see what I mean:

Code: Select all
<form id="form" name="form1" method="post" action="">
  <p>Hit submit to see the vulnerability:
    <input name="some_input_text" type="text" value="<? if($_POST['Submit'] == 'Submit') echo $_POST['some_input_text']; else echo '\$2'; ?>"/>
  </p>
  <p>
    <input type="submit" name="Submit" id="Submit" value="Submit" />
  </p>
</form>


Any thoughts on this? This really seems like it's way too gaping of a vulnerability to just expect people to implicitly anticipate that Jumi will do this and escape the dollar sign for this special case.

Cheers,
Ben
slagathor
 
Posts: 1
Joined: Fri Jan 13, 2012 11:16 am

Re: Exploit found: Jumi script file location shown using $2

New postby kclark » Wed Apr 02, 2014 1:00 am

This is for any script I believe. I have some php code where I have a drop down box such as the one below. The $ comes up jumi and $2 shows the path of the page, $3 $4 & $5 show nothing. The first select below is my code, the second select is what shows on my page. Any ideas to fix this?


<select name='pricerange' size="1">
<option value="0">Price Range</option>
<option value="1">Up To $1,000</option>
<option value="2">$1,001 to $1,500</option>
<option value="3">$1,501 to $2,000</option>
<option value="4">$2,001 to $2,500</option>
<option value="5">$2,501 to $3,000</option>
<option value="6">$3,001 to $3,500</option>
<option value="7">$3,501 to $4,000</option>
<option value="8">$4,001 to $4,500</option>
<option value="9">$4,501 to $5,000</option>
<option value="10">$5,001 and Up</option>
</select>

<select name='pricerange' size="1">
<option value="0">Price Range</option>
<option value="1">Up To 1,000</option>
<option value="2">1,001 to jumi,500</option>
<option value="3">jumi,501 to [selectionroom/productlist.php],000</option>
<option value="4">[selectionroom/productlist.php],001 to [selectionroom/productlist.php],500</option>
<option value="5">[selectionroom/productlist.php],501 to ,000</option>
<option value="6">,001 to ,500</option>
<option value="7">,501 to ,000</option>
<option value="8">,001 to ,500</option>
<option value="9">,501 to ,000</option>
<option value="10">,001 and Up</option>
</select>
kclark
 
Posts: 2
Joined: Wed Apr 02, 2014 12:52 am

Re: Exploit found: Jumi script file location shown using $2

New postby kclark » Tue Apr 08, 2014 8:22 pm

Figured it out if anyone needs to know. Just use "\" backslash in front of the $ sign. So my code above now looks like this:

<select name='pricerange' size="1">
<option value="0">Price Range</option>
<option value="1">Up To \$1,000</option>
<option value="2">\$1,001 to \$1,500</option>
<option value="3">\$1,501 to \$2,000</option>
<option value="4">\$2,001 to \$2,500</option>
<option value="5">\$2,501 to \$3,000</option>
<option value="6">\$3,001 to \$3,500</option>
<option value="7">\$3,501 to \$4,000</option>
<option value="8">\$4,001 to \$4,500</option>
<option value="9">\$4,501 to \$5,000</option>
<option value="10">\$5,001 and Up</option>
</select>
kclark
 
Posts: 2
Joined: Wed Apr 02, 2014 12:52 am


Return to Jumi

Who is online

Users browsing this forum: No registered users and 1 guest

cron