[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20060318100839.5bchrs808ows8sgc@neo.wg.de>
Date: Sat, 18 Mar 2006 10:08:39 +0100
From: Jan Schneider <jan@...de.org>
To: bugtraq@...urityfocus.com
Subject: Re: CodeScan Advisory: Unauthenticated Arbitrary File Read in
Horde v3.09 and prior
Just FYI, noone of the Horde developers was able to reproduce this,
and it should only be exploitable if you have a PHP version that has
bugs in both parse_url() and readfile().
Beside that, the reporters unfortunately stopped talking to us in the
middle of the process, dunno why.
Zitat von CodeScan Labs <advisories@...escan.com>:
> ========================================================================
> = CodeScan Advisory, codescan.com <advisories@...escan.com>
> =
> = Unauthenticated Arbitrary File Read in Horde v3.09 and prior
> =
> = Vendor Website:
> = http://www.horde.org
> =
> = Affected Version:
> = Versions prior to and including v3.09
> =
> = Researched By
> = Paul Craig <paul.craig@...urity-assessment.com>
> =
> = Public disclosure on March 15th, 2006
> ========================================================================
>
> == Overview ==
>
> CodeScan Labs (www.codescan.com), has recently released a new source
> code scanning tool, CodeScan. CodeScan is an advanced auditing tool
> designed to check web application source code for security vulnerabilities.
> CodeScan utilises an intelligent source code parsing engine, traversing
> execution paths and tracking the flow of user supplied input.
>
> During the beta testing of CodeScan PHP, Horde v3.09 was selected as
> one of the test applications.
>
> This advisory is the result of research into the security of Horde, based
> on the report generated by the CodeScan tool.
>
> CodeScan Labs has also worked with the vendor of horde to ensure future
> versions of the product are secure.
>
> == Affected Versions ==
>
> Although all versions of horde v3.09 and prior are vulnerable to this
> attack, many distrubitions of PHP are not vulnerable by default.
> This vulnerability was tested and exploited on a default Fedora Core 4
> install, although several horde developers were unable to reproduce this
> vulnerability on Debian based servers.
>
> == Vulnerability Details ==
>
> In the file /services/go.php, an insecure call is made to the readfile()
> function.
>
> This can be seen in the code below.
> --------------------------------------------------------------
> $_GET['url'] = trim($_GET['url']);
>
> if (get_magic_quotes_gpc()) {
> $url = @parse_url(trim(stripslashes($_GET['url'])));
> } else {
> $url = @parse_url(trim($_GET['url']));
> }
>
> if (empty($url) || empty($url['host'])) {
> exit;
> }
>
> if ((!empty($_SERVER['SERVER_NAME']) &&
> $_SERVER['SERVER_NAME'] == $url['host']) ||
> (!empty($_SERVER['HTTP_HOST']) &&
> $_SERVER['HTTP_HOST'] == $url['host'])) {
>
> .........
>
> // Pass through image content if requested.
> if (!empty($_GET['untrusted'])) {
> readfile($_GET['url']);
> exit;
> --------------------------------------------------------------
> Calls to parse_url attempt to sanitise the input through
> the requirement of an http:// type string.
>
> Embedding a NULL character within the URL variable enables
> an attacker to control the variable passed to readfile()
> leading to the reading of any file on the file system with
> the privileges of the web server.
>
> == Solutions ==
>
> CodeScan Labs has been in contact with Horde and a new version of
> the software has been released to address the discovered
> vulnerability.
>
> Users are advised to upgrade to version 3.1
> ftp://ftp.horde.org/pub/horde/horde-3.1.tar.gz
>
> == Credit ==
>
> Discovered and advised to Horde 4th March, 2006 by Paul Craig of
> Security-Assessment.com
>
> == About CodeScan Labs Ltd ==
>
> CodeScan Labs is specialist security research and development
> organisation, that has developed the cornerstone application, CodeScan.
> CodeScan Labs helps organisations secure their web services through the
> automated scanning of the web application source code for security
> vulnerabilities. The CodeScan product is currently available for ASP
> and PHP(Beta)
>
> == About Security-Assessment.com ==
>
> Security-Assessment.com is Australasia's only pure play security
> company, specialising in security audit, assurance and advice services.
> Assisting large and medium size Enterprises who require true independent
> measurement of their security compliance at all levels.
>
>
>
> e-mail protected and scanned by Bizo Email Filter - powered by Advascan
>
>
>
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/
Powered by blists - more mailing lists