Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
PHProjekt Groupware Has Multiple Flaws That Allow Remote Users to Gain Unauthorized Access, Make Changes to the Database, and View Files Located Anywhere on the System
|
Date: Apr 25 2002
|
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 3.2
|
Description: Multiple vulnerabilities were reported in the PHProjekt groupware application. A remote user can access certain scripts without
authentication. A remote and authenticated user can view files located anywhere on the server and make changes to the underlying
database..
Several vulnerabilities were reported, as discussed below.
A remote user can send certain URLs to circumvent the authentication
requirement of some of the system scripts. The system apparently checks the $PHP_SELF variable to look for certain strings to determine
if a URL does not require authentication. This $PHP_SELF variable reportedly includes the PATH_INFO portion of a URL request.
So, a remote user can create a URL that includes certain strings so that the system will interpret the URL as not requiring authentication
when in fact it should require authentication. An example URL that includes the 'sms' string is shown below:
http://www.somehost.com/phprojekt/mail/mail_send.php/sms
It is reported that a flaw in the upload functions allows an authenticated remote user to cause the system to interpret a local
file (such as '/etc/passwd') as an uploaded file and then read the file.
An authenticated remote user can reportedly modify or
inject SQL commands to modify the underlying database.
It is also reported that some scripts fail to validate the user's access
privileges, allowing a remote user without sufficient privileges to perform certain functions, such as viewing or editing data in
the system.
The system reportedly fails to filter out the '../' directory traversal characters, allowing an authenticated remote
user to gain unauthorized read access to files on the system (e.g., "../../../../../etc/passwd").
|
Impact: A remote user may be able to gain access to certain scripts without authentication. An authenticated remote user can edit the underlying database and view files located anywhere on the system.
|
Solution: The vendor has released a fixed version (3.2), available at:
http://www.phprojekt.com/
|
Vendor URL: www.phprojekt.com/ (Links to External Site)
|
Cause: Access control error, Authentication error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Underlying OS Comments: PHP-based
|
Reported By: Ulf Harnhammar <ulfh@update.uu.se>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 25 Apr 2002 01:57:55 +0200 (CEST)
From: Ulf Harnhammar <ulfh@update.uu.se>
Subject: PHProjekt multiple vulnerabilities
|
PHProjekt multiple vulnerabilities
PROGRAM: PHProjekt
VENDOR: Albrecht Guenther (ag@phprojekt.com) et al.
HOMEPAGE: http://www.phprojekt.com/
VULNERABLE VERSIONS: all versions below 3.2
LOGIN REQUIRED: yes (some issues), no (some issues)
SEVERITY: high
DESCRIPTION:
"PHProjekt is a groupware suite which supports communication and management of
teams and companies via an Intranet and the Internet. It consists of multiple
components, including a group calendar with resource booking, a time card
system, project management, a request tracker, a mutual filesystem, a contact
manager, a mail client, a forum, chat, notes, shared bookmarks, todo lists, a
voting system, and reminders. Language files are available for over 20
languages, and an extensive help system is included."
(direct quote from the program's project page at Freshmeat)
PHProjekt is written in PHP, and it is published under the terms of the GNU
General Public License.
SECURITY HOLES:
I have found many security holes in this program. They can be divided into
five categories:
1) Some of the scripts in the system require that the user is logged in, while
others don't. The system differentiates between them by checking the current
URL in the variable $PHP_SELF to see if it contains strings like "sms" (the
name of one of the scripts that don't require logging in contains that
string). Unfortunately, $PHP_SELF includes the PATH_INFO part of a request.
This means that we can fool the system into thinking that we are accessing a
script that doesn't need logging in, while in fact we are accessing a script
that does. This is done by constructing a URL like
"http://www.somehost.com/phprojekt/mail/mail_send.php/sms", where the
PATH_INFO part is "/sms".
2) The upload functions in the system don't check if the variables related to
an upload actually were set by uploading a file or if they are normal POST
data. This can be used to make the system treat any file it can read, like
"/etc/passwd", as the uploaded data.
3) Many SQL statements in the system include user data without enclosing it in
apostrophes or quotes. This means that much more data than intended can be
deleted or changed. If the system uses the parameter "id" in the string
"UPDATE table SET name='Ulf' WHERE intTableID=$id", giving "id" the value
"intTableID" means that we will end up executing the statement "UPDATE table
SET name='Ulf' WHERE intTableID=intTableID". This statement will change all
names in the table to Ulf.
4) Some of the scripts that should require logging in never check if you are
in fact logged in. This means that a person with insufficient privileges can
view or edit data in the system, by posting the right data to those scripts.
5) Files are accessed without proper checking of their file names for slashes
and dots. This means that we can read files outside of the PHProjekt system by
entering file names like "../../../../../etc/passwd".
COMMUNICATION WITH VENDOR:
The first security hole was reported to the vendor on the 15th of March, and
the last one a couple of weeks later. Version 3.2, which is not vulnerable to
any of these issues, was released on the 11th of April.
RECOMMENDATION:
I recommend that all administrators upgrade to version 3.2 immediately.
// Ulf Harnhammar
ulfh@update.uu.se
|
|
Go to the Top of This SecurityTracker Archive Page
|
