[Full-Disclosure] Double Choco Latte multiple vulnerabilities

From: Ulf Harnhammar (full-disclosure@lists.netsys.com)
Date: 07/14/02


From: full-disclosure@lists.netsys.com (Ulf Harnhammar)
Date: Sun, 14 Jul 2002 22:48:23 +0200 (CEST)

Double Choco Latte multiple vulnerabilities

PROGRAM: Double Choco Latte
VENDOR: Michael Dean <mdean@users.sourceforge.net>
        GNU Enterprise <info@gnue.org>
HOMEPAGE: http://dcl.sourceforge.net/index.php
VULNERABLE VERSIONS: 20020215, possibly others
NOT VULNERABLE VERSIONS: 20020706
LOGIN REQUIRED: yes
SEVERITY: high

DESCRIPTION:

"Double Choco Latte is a package that provides basic project
management capabilities, time tracking on tasks, call tracking,
email notifications, online documents, statistical reports,
a report engine, and more features are either working or being
developed/planned. It is licensed under the GPL (GNU Public License),
which means it is free to study, distribute, modify, and use."

(direct quote from the program's homepage)

SECURITY HOLES:

1) Both in Projects: Upload File Attachment and in Work Orders:
Import, the program allows file uploads to occur, without checking
if the four global variables with information about an upload (foo,
foo_name, foo_size and foo_type) really were set by uploading a
file or if they were normal POST data. This means that the upload
functions can be fooled into treating any file that the web server
can read (like /etc/passwd) as if it is the uploaded file.

You fix this by using PHP's is_uploaded_file() function, which
checks if a real upload has taken place.

2) When downloading files in Projects: Attachments, Double Choco
Latte doesn't check if the path contains any ".." strings. This
makes it possible for an attacker to download any file that the web
server can read. He or she can download /etc/passwd by asking for
"../../../../../../../etc/passwd".

3) Double Choco Latte has got lots of XSS (Cross-Site Scripting)
issues, as the program displays user-supplied data without removing
HTML tags. This occurs in Ticket# Find, Priorities, Severities,
Projects, WO# Find, Departments and Users.

You fix this with the htmlspecialchars() function.

COMMUNICATION WITH VENDOR:

The vendor was contacted on the 26th and 30th of May, and on the
26th of June. They released version 20020706, which does not have
any of these security holes, on the 5th of July.

RECOMMENDATION:

I recommend that all administrators upgrade to version 20020706.

// Ulf Harnhammar
ulfh@update.uu.se