lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <002401c647ca$d2483030$1501a8c0@BLANK>
Date: Wed Mar 15 02:55:08 2006
From: advisories at codescan.com (CodeScan Labs)
Subject: CodeScan Advisory: Unauthenticated Arbitrary File
	Read in Horde v3.09 and prior

========================================================================
= CodeScan Advisory, codescan.com <advisories@...escan.com>
= 
= Unauthenticated Arbitrary File Read in Horde v3.09 and prior
=
= Vendor Website: 
= http://www.horde.org
=
= Affected Version:
=    Versions prior to and including v3.09
=
= Researched By
=    Paul Craig <paul.craig@...urity-assessment.com>
=
= Public disclosure on March 15th, 2006
========================================================================

== Overview ==

CodeScan Labs (www.codescan.com), has recently released a new source 
code scanning tool, CodeScan. CodeScan is an advanced auditing tool 
designed to check web application source code for security vulnerabilities.
CodeScan utilises an intelligent source code parsing engine, traversing 
execution paths and tracking the flow of user supplied input.

During the beta testing of CodeScan PHP, Horde v3.09 was selected as 
one of the test applications.

This advisory is the result of research into the security of Horde, based
on the report generated by the CodeScan tool.

CodeScan Labs has also worked with the vendor of horde to ensure future
versions of the product are secure.

== Affected Versions ==

Although all versions of horde v3.09 and prior are vulnerable to this
attack, many distrubitions of PHP are not vulnerable by default.
This vulnerability was tested and exploited on a default Fedora Core 4
install, although several horde developers were unable to reproduce this 
vulnerability on Debian based servers.

== Vulnerability Details ==

In the file /services/go.php, an insecure call is made to the readfile()
function.

This can be seen in the code below.
--------------------------------------------------------------
$_GET['url'] = trim($_GET['url']);

if (get_magic_quotes_gpc()) {
    $url = @parse_url(trim(stripslashes($_GET['url'])));
} else {
    $url = @parse_url(trim($_GET['url']));
}

if (empty($url) || empty($url['host'])) {
    exit;
}

if ((!empty($_SERVER['SERVER_NAME']) &&
     $_SERVER['SERVER_NAME'] == $url['host']) ||
    (!empty($_SERVER['HTTP_HOST']) &&
     $_SERVER['HTTP_HOST'] == $url['host'])) {

.........

// Pass through image content if requested.
if (!empty($_GET['untrusted'])) {
    readfile($_GET['url']);
    exit;
--------------------------------------------------------------
Calls to parse_url attempt to sanitise the input through
the requirement of an http:// type string.

Embedding a NULL character within the URL variable enables 
an attacker to control the variable passed to readfile()
leading to the reading of any file on the file system with
the privileges of the web server.

== Solutions ==

CodeScan Labs has been in contact with Horde and a new version of 
the software has been released to address the discovered
vulnerability.

Users are advised to upgrade to version 3.1 
   ftp://ftp.horde.org/pub/horde/horde-3.1.tar.gz
 
== Credit ==

Discovered and advised to Horde 4th March, 2006 by Paul Craig of
Security-Assessment.com

== About CodeScan Labs Ltd ==

CodeScan Labs is specialist security research and development
organisation, that has developed the cornerstone application, CodeScan.
CodeScan Labs helps organisations secure their web services through the
automated scanning of the web application source code for security
vulnerabilities.  The CodeScan product is currently available for ASP
and PHP(Beta)

== About Security-Assessment.com ==

Security-Assessment.com is Australasia's only pure play security
company, specialising in security audit, assurance and advice services.
Assisting large and medium size Enterprises who require true independent
measurement of their security compliance at all levels.



e-mail protected and scanned by Bizo Email Filter - powered by Advascan


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ