lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070207210901.32360.qmail@securityfocus.com>
Date: 7 Feb 2007 21:09:01 -0000
From: flo@...cp.org
To: bugtraq@...urityfocus.com
Subject: Ability to inject and execute any code as root in SysCP

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                      The System Control Panel
                           www.SysCP.org

                      -= Security Advisory =-


     Advisory: Ability to inject and execute any code as root in SysCP
 Release Date: 2007/02/02
Last Modified: 2007/02/07
       Author: Florian Lippert <florian.lippert@...cp.org>
  Application: SysCP <= 1.2.15
     Severity: Arbitrary code execution
         Risk: Critical
       Status: Patch and new release provided


Overview:

  SysCP, the System Control Panel is a server administration tool 
  which enables an internet service provider to give their customers 
  a web-based application to administrate their email addresses, 
  their subdomains etc. 
  Two security issues, both making a remote code execution possible,
  were discovered recently:
  1) Within the panel, a customer can inject any malicious code which will
     be executed by the cronjob, which runs as super user. This security
     issue was discovered by Daniel Schulte <daniel@...eways.de> and only
     affects SysCP 1.2.15
  2) With having access to the syscp-database one could insert any file to
     be executed into panel_cronscript table. This security issue was
     discovered by Martin Burchert <eremit@...cp.org> and affects all
     SysCP releases from 1.2.3 up to 1.2.15.

Details:

  1) It's possible for a customer to create a directory-structure like
     "; cp /var/www/syscp/lib/userdata.inc.php /var/kunden/webs/web1/; ls "
     inside his homedir. If the customer tries to protect this directory with
     the control panel, the cronscript will execute this command as root and
     the customer has the MySQL-root-password inside his ftp-directory.
  2) If an attacker has access to the database he could add any php file to
     the table 'panel_cronscript', for example one that he uploaded into his
     dir and which adds a new root-user or installs a backdor etc. Due to not
     validating or restricting the files which are "include_onced" on
     scripts/cronscript.php, line 139 (as of SysCP 1.2.15) this file will be
     executed as the user which also executes the cronscript, normally root.

Recommendation:

  For security issue #1 patch your installation with the provided patch
  (http://files.syscp.org/misc/syscp-1.2.15s.patch) or upgrade to
  SysCP 1.2.16, which fixes both security issues.

GPG-Key:
  pub   1024D/5B97D56B 2007-02-07 Florian Lippert <flo@...cp.org>
  Fingerprint: D974 4762 7993 A16E 4249 7BD5 61D3 9CEE 5B97 D56B

EOF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFFykJfYdOc7luX1WsRApFVAJ4oAb6sPFmzvUc3dtrtwmfymsW+6wCggQPy
dP3ag9i/r99Yvs7Dk4JNgDI=
=cqyF
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ