[UNIX] Trac Fileupload/download Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 06/20/05

  • Next message: SecuriTeam: "[NEWS] Adobe License Management Service Vulnerability"
    To: list@securiteam.com
    Date: 20 Jun 2005 10:31:32 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      Trac Fileupload/download Vulnerability


    " <http://www.edgewall.com> Trac is an enhanced Wiki and issue tracking
    system for software development projects. Trac uses a minimalistic
    approach to web-based software project management. Our mission; to help
    developers write great software while staying out of the way. Trac should
    impose as little as possible on a team's established development process
    and policies.

    It provides an interface to Subversion, an integrated Wiki and convenient
    report facilities.

    Trac allows wiki markup in issue descriptions and commit messages,
    creating links and seamless references between bugs, tasks, changesets,
    files and Wiki pages. A timeline shows all project events in order, making
    getting an overview of the project and tracking progress very easy."

    During the evaluation of Trac an input validation vulnerability was
    discovered which can lead to arbitrary up- and downloading of files with
    the permission of the web server. Under some circumstances this can lead
    remote code execution, depending on the configuration of the web server
    and the permissions on the directories within the document root.


    Vulnerable Systems:
     * Trac version 0.8.3 and prior

    Immune Systems:
     * Trac version 0.8.4

    Trac's wiki and ticket systems allows to add attachments to wiki entries
    and bug tracker tickets. These attachments are stored within directories
    that are determined by the id of the corresponding ticket or wiki entry.

    Due to a missing validation of the id parameter it is possible for an
    attacker to supply arbitrary paths to the upload and attachment viewer
    scripts. This means that a potential attacker can retrieve any file
    accessible by the web server user.

    Additionally it is possible to upload arbitrary files (up to a configured
    file length) to any place the webserver has write access too.

    For obvious reasons this can lead to the execution of arbitrary code if it
    possible to upload files to the document root or it's subdirectories. One
    example of a configuration would be f.e. running Trac and s9y/wordpress
    with write-able content directories on the same web server.

    Another potential usage of this exploit would be to abuse Trac powered web
    servers as storage for f.e. torrent files.

    Disclosure Timeline:
    16. June 2005 - Contacted edgewall via email
    19. June 2005 - Vendor released bug fixed version
    20. June 2005 - Public disclosure

    We strongly recommend to upgrade to the vendor supplied new version Trac
    0.8.4 <http://ftp.edgewall.com/pub/trac/trac-0.8.4.tar.gz>


    The information has been provided by <mailto:sesser@hardened-php.net>
    Stefan Esser.
    The original article can be found at:


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Adobe License Management Service Vulnerability"