Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Ulf Harnhammar (ulfh_at_update.uu.se)
Date: Sun Jul 14 2002 - 15:48:23 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Double Choco Latte multiple vulnerabilities

    PROGRAM: Double Choco Latte
    VENDOR: Michael Dean <mdeanusers.sourceforge.net>
            GNU Enterprise <infognue.org>
    HOMEPAGE: http://dcl.sourceforge.net/index.php
    VULNERABLE VERSIONS: 20020215, possibly others
    SEVERITY: high


    "Double Choco Latte is a package that provides basic project
    management capabilities, time tracking on tasks, call tracking,
    email notifications, online documents, statistical reports,
    a report engine, and more features are either working or being
    developed/planned. It is licensed under the GPL (GNU Public License),
    which means it is free to study, distribute, modify, and use."

    (direct quote from the program's homepage)


    1) Both in Projects: Upload File Attachment and in Work Orders:
    Import, the program allows file uploads to occur, without checking
    if the four global variables with information about an upload (foo,
    foo_name, foo_size and foo_type) really were set by uploading a
    file or if they were normal POST data. This means that the upload
    functions can be fooled into treating any file that the web server
    can read (like /etc/passwd) as if it is the uploaded file.

    You fix this by using PHP's is_uploaded_file() function, which
    checks if a real upload has taken place.

    2) When downloading files in Projects: Attachments, Double Choco
    Latte doesn't check if the path contains any ".." strings. This
    makes it possible for an attacker to download any file that the web
    server can read. He or she can download /etc/passwd by asking for

    3) Double Choco Latte has got lots of XSS (Cross-Site Scripting)
    issues, as the program displays user-supplied data without removing
    HTML tags. This occurs in Ticket# Find, Priorities, Severities,
    Projects, WO# Find, Departments and Users.

    You fix this with the htmlspecialchars() function.


    The vendor was contacted on the 26th and 30th of May, and on the
    26th of June. They released version 20020706, which does not have
    any of these security holes, on the 5th of July.


    I recommend that all administrators upgrade to version 20020706.

    // Ulf Harnhammar