lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.21.0207142244290.14271-100000@Tempo.Update.UU.SE>
From: ulfh at update.uu.se (Ulf Harnhammar)
Subject: Double Choco Latte multiple vulnerabilities

Double Choco Latte multiple vulnerabilities


PROGRAM: Double Choco Latte
VENDOR: Michael Dean <mdean@...rs.sourceforge.net>
        GNU Enterprise <info@...e.org>
HOMEPAGE: http://dcl.sourceforge.net/index.php
VULNERABLE VERSIONS: 20020215, possibly others
NOT VULNERABLE VERSIONS: 20020706
LOGIN REQUIRED: yes
SEVERITY: high


DESCRIPTION:

"Double Choco Latte is a package that provides basic project
management capabilities, time tracking on tasks, call tracking,
email notifications, online documents, statistical reports,
a report engine, and more features are either working or being
developed/planned. It is licensed under the GPL (GNU Public License),
which means it is free to study, distribute, modify, and use."

(direct quote from the program's homepage)


SECURITY HOLES:

1) Both in Projects: Upload File Attachment and in Work Orders:
Import, the program allows file uploads to occur, without checking
if the four global variables with information about an upload (foo,
foo_name, foo_size and foo_type) really were set by uploading a
file or if they were normal POST data. This means that the upload
functions can be fooled into treating any file that the web server
can read (like /etc/passwd) as if it is the uploaded file.

You fix this by using PHP's is_uploaded_file() function, which
checks if a real upload has taken place.

2) When downloading files in Projects: Attachments, Double Choco
Latte doesn't check if the path contains any ".." strings. This
makes it possible for an attacker to download any file that the web
server can read. He or she can download /etc/passwd by asking for
"../../../../../../../etc/passwd".

3) Double Choco Latte has got lots of XSS (Cross-Site Scripting)
issues, as the program displays user-supplied data without removing
HTML tags. This occurs in Ticket# Find, Priorities, Severities,
Projects, WO# Find, Departments and Users.

You fix this with the htmlspecialchars() function.


COMMUNICATION WITH VENDOR:

The vendor was contacted on the 26th and 30th of May, and on the
26th of June. They released version 20020706, which does not have
any of these security holes, on the 5th of July.


RECOMMENDATION:

I recommend that all administrators upgrade to version 20020706.


// Ulf Harnhammar
ulfh@...ate.uu.se


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ