[UNIX] Alexandria-dev / SourceForge Multiple Vulnerabilities

• Previous message: support@securiteam.com: "[TOOL] Anti-Ptrace Linux LKM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 30 Mar 2003 16:14:29 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Alexandria-dev / SourceForge Multiple Vulnerabilities
------------------------------------------------------------------------

SUMMARY

 <http://sourceforge.net/projects/alexandria-dev/> Alexandria is an
open-sourced project management system.

A modified version is used by the highly popular sourceforge.net web site,
which hosts a large percentage of all open source projects.

Multiple vulnerabilities have been found in the product allowing attackers
to retrieve arbitrary files (for example /etc/passwd), to inject SPAM into
the mail server, and insert malicious HTML and JavaScript into existing
web pages.

DETAILS

Vulnerable systems:
 * Alexandria versions 2.5 and 2.0

Upload spoofing
Both Alexandria's "docman/new.php" script and its "patch/index.php" script
have got upload spoofing security holes, that is, they allow an attacker
to fool them into treating any file on the web server as if it is the
uploaded file.

When uploading a file, PHP stores it in a temporary file and saves its
location in the global variable named by the <input type="file"..> tag's
name attribute. The programmer is supposed to check that the file really
was uploaded, by using functions such as "is_uploaded_file()" or
"move_uploaded_file()", but many people forget that.

By POSTing some normal <input type="text"..> data to the two scripts
mentioned above, with the same name attribute as the file upload, an
attacker can exploit this and retrieve "/etc/passwd", "/etc/local.inc"
with SourceForge's database username/password combination, or other
important files.

Here is an example. A normal upload HTML form might look like this:
< form method="POST" enctype="multipart/form-data" action="script.php">
< input type="file" name="thefile" size="30">
< input type="submit" value="Upload it!">
< /form>

To conduct upload spoofing on a vulnerable program like SourceForge, an
attacker can use this form instead:
< form method="POST" enctype="multipart/form-data" action="script.php">
< input type="text" name="thefile" value="/etc/passwd" size="30">
< input type="submit" value="Upload it!">
< /form>

Spamming and CRLF Injection
Alexandria's "sendmessage.php" script tries to prevent people from using
it for spamming, by only allowing "To" addresses that contain the domain
of the current Alexandria installation. It is very easy to get around,
though. If the domain is "our-site", a spammer can use the power of RFC
2822 to construct an e-mail address like "our-site
<mike@someothersite.net>", which will fool Alexandria into allowing
e-mails to mike@someothersite.net, as its domain is found somewhere in the
address.

The "sendmessage.php" script also suffers from CRLF Injection, allowing
people to add new mail headers so that they can send HTML mails for
instance.

Cross Site Scripting
Users' real names, users' resumes (under skills profile), short and long
job descriptions as well as short project descriptions all suffer from
Cross Site Scripting problems. This means that malicious users may steal
other users' cookies or perform actions under their names.

Solution:
There will not be issued a new release. The source code is no longer
supported by SourceForge / VASoftware.

The latest version of the commercial solution "SourceForge Enterprise
Edition" is not believed to be vulnerable.

Vendor status:
19/03/2003 - SourceForge.net contacted
19/03/2003 - SourceForge.net confirmed
21/03/2003 - SourceForge.net asked us to hold until 26/3/2003
28/03/2003 - Vulnerability public disclosure

We have also contacted other sites believed to use code derived from
SourceForge / Alexandria.

ADDITIONAL INFORMATION

The original advisory can be downloaded from:
 <http://www.secunia.com/secunia_research/2003-2/advisory/>
http://www.secunia.com/secunia_research/2003-2/advisory/

The information has been provided by <mailto:tk@secunia.com> Thomas
Kristensen and Ulf Harnhammar.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: support@securiteam.com: "[TOOL] Anti-Ptrace Linux LKM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]