[VulnWatch] Alexandria-dev / sourceforge multiple vulnerabilities

From: Thomas Kristensen (tk@secunia.com)
Date: 03/28/03

  • Next message: Claus Assmann: "[VulnWatch] sendmail 8.12.9 available"
    From: Thomas Kristensen <tk@secunia.com>
    To: vulnwatch@vulnwatch.org
    Date: 28 Mar 2003 14:54:33 +0100
    
    

    ======================================================================

                           Secunia Research 28/03/2003

            - Alexandria-dev / sourceforge multiple vulnerabilities -

    ======================================================================
    Receive Secunia Security Advisories for free:
    http://www.secunia.com/subscribe_secunia_security_advisories/?6

    ======================================================================
    Table of Contents
    1..............................................Description of software
    2.......................................Description of vulnerabilities
    3....................................................Affected Software
    4.............................................................Severity
    5.............................................................Solution
    6...........................................................Time Table
    7........................................................About Secunia
    8..............................................................Credits
    9.........................................................Verification

    ======================================================================
    1) Description of software

    Alexandria ( http://sourceforge.net/projects/alexandria-dev/ ) is an
    open-sourced project management system.

    A modified version is used by the highly popular sourceforge.net web
    site, which hosts a large percentage of all open source projects.

    ======================================================================
    2) Description of vulnerabilities

    a) Upload spoofing

    Both Alexandria's "docman/new.php" script and its "patch/index.php"
    script have got upload spoofing security holes, that is, they allow
    an attacker to fool them into treating any file on the web server
    as if it is the uploaded file.

    When uploading a file, PHP stores it in a temporary file and
    saves its location in the global variable named by the <input
    type="file"..> tag's name attribute. The programmer is supposed to
    check that the file really was uploaded, by using functions such
    as "is_uploaded_file()" or "move_uploaded_file()", but lots of people
    forget that.

    By POSTing some normal <input type="text"..> data to the two
    scripts mentioned above, with the same name attribute as the file
    upload, an attacker can exploit this and retrieve "/etc/passwd",
    "/etc/local.inc" with SourceForge's database username/password
    combination, or other important files.

    Here is an example. A normal upload HTML form might look like this:

    <form method="POST" enctype="multipart/form-data"
    action="script.php">
    <input type="file" name="thefile" size="30">
    <input type="submit" value="Upload it!">
    </form>

    To conduct upload spoofing on a vulnerable program like SourceForge,
    an attacker can use this form instead:

    <form method="POST" enctype="multipart/form-data"
    action="script.php">
    <input type="text" name="thefile" value="/etc/passwd" size="30">
    <input type="submit" value="Upload it!">
    </form>

    b) Spamming and CRLF Injection

    Alexandria's "sendmessage.php" script tries to prevent people from
    using it for spamming, by only allowing "To" addresses that contain
    the domain of the current Alexandria installation. It is very
    easy to get around, though. If the domain is "our-site", a spammer
    can use the power of RFC 2822 to construct an e-mail address like
    "our-site <mike@someothersite.net>", which will fool Alexandria into
    allowing e-mails to mike@someothersite.net, as its domain is found
    somewhere in the address.

    The "sendmessage.php" script also suffers from CRLF Injection,
    allowing people to add new mail headers so that they can send HTML
    mails for instance.

    c) Cross Site Scripting

    Users' real names, users' resumes (under skills profile), short
    and long job descriptions as well as short project descriptions
    all suffer from Cross Site Scripting problems. This means that
    malicious users may steal other users' cookies or perform actions
    under their names.

    ======================================================================
    3) Affected Software

    At least Alexandria versions 2.5 and 2.0 are vulnerable to these
    problems.

    WebSite:
    http://sourceforge.net/projects/alexandria-dev/

    ======================================================================
    4) Severity

    Rating: Highly critical
    Impact: Cross Site Scripting
              Exposure of system information
              Security Bypass
    Where: From Remote

    ======================================================================
    5) Solution

    There will not be issued a new release. The source code is no longer
    supported by SourceForge / VASoftware.

    The latest version of the commercial solution "SourceForge Enterprise
    Edition" is not believed to be vulnerable.

    ======================================================================
    6) Time Table

    19/03/2003 - SourceForge.net contacted
    19/03/2003 - SourceForge.net confirmed
    21/03/2003 - SourceForge.net asked us to hold until 26/3/2003
    28/03/2003 - Vulnerability public disclosure

    We have also contacted other sites believed to use code derived from
    SourceForge / Alexandria.

    ======================================================================
    7) About Secunia

    Secunia collects, validates, assesses and writes advisories regarding
    all the latest software vulnerabilities disclosed to the public. These
    advisories are gathered in a publicly available database at the
    Secunia website:
    http://www.secunia.com/

    Secunia offers services to our customers enabling them to receive all
    relevant vulnerability information to their specific system
    configuration.

    Secunia offers a FREE mailing list called Secunia Security Advisories:
    http://www.secunia.com/subscribe_secunia_security_advisories/?5

    ======================================================================
    8) Credits

    Discovered by Ulf Harnhammar

    ======================================================================
    9) Verification

    Please verify this advisory by visiting the Secunia website.
    http://www.secunia.com/secunia_research/2003-2/

    ======================================================================


  • Next message: Claus Assmann: "[VulnWatch] sendmail 8.12.9 available"

    Relevant Pages