SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Alexandria Vendors:   SourceForge Crew
Alexandria Source Code/Project Management Flaws Disclose Files to Remote Users and Let Remote Users Send E-mail to Arbitrary Recipients
SecurityTracker Alert ID:  1006400
SecurityTracker URL:  http://securitytracker.com/id/1006400
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 28 2003
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Host/resource access via network, Modification of user information, User access via network
Vendor Confirmed:  Yes  
Version(s): 2.0, 2.5
Description:   Several vulnerabilities were reported in Alexandria ('alexandria-devel'). A remote user can view files on the system. A remote user can send e-mail to arbitrary recipients. A remote user can also conduct cross-site scripting attacks.

Secunia Research reported several vulnerabilities in Alexandria.

A remote user can reportedly exploit the "docman/new.php" and "patch/index.php" scripts to view arbitrary files on the server that are readable by the web server process, including password files. This is achieved by spoofing the upload temporary file location using the HTML input tag 'file' variable. The scripts apparently do not check to ensure that the file was actually uploaded to the appropriate directory.

A demonstration exploit example is provided in the Source Message.

It is also reported that a remote user can exploit the "sendmessage.php" script to bypass anti-SPAM protections and send e-mail to arbitrary recipients. This is reportedly achieved by including the valid site name within the "name" portion of an e-mail address (while setting the destination e-mail address portion of the address to the desired recipient).

In addition, a remote user can inject carriage return and line feed characters via "sendmessage.php", allowing the remote user to inject additional lines into the e-mail message. This can be used to send HTML-based e-mail, according to the report.

It is also reported that several fields (including user real names, user resumes, short job descriptions, and long job descriptions) are not filtered to remove HTML code. A remote user can create submit specially crafted text that, when viewed by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Alexandria software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Ulf Harnhammar is credited with discovering this flaw.

Impact:   A remote user can read arbitrary files on the system that are readable by the web server process.

A remote user can send e-mail to arbitrary recipients via the system.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Alexandria software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user

Solution:   No solution was available at the time of this entry. According to the report, the software is no longer supported. The "SourceForge Enterprise Edition" is not believed to be vulnerable, the report states.
Vendor URL:  sourceforge.net/projects/alexandria-dev/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Secunia Research: Alexandria-dev / sourceforge multiple


====================================================================== 

                       Secunia Research 28/03/2003 

        - Alexandria-dev / sourceforge multiple vulnerabilities - 

======================================================================
Receive Secunia Security Advisories for free:
http://www.secunia.com/subscribe_secunia_security_advisories/?7 

====================================================================== 
Table of Contents 
1..............................................Description of software 
2.......................................Description of vulnerabilities 
3....................................................Affected Software 
4.............................................................Severity 
5.............................................................Solution 
6...........................................................Time Table 
7........................................................About Secunia 
8..............................................................Credits 
9.........................................................Verification 

====================================================================== 
1) Description of software 

Alexandria ( http://sourceforge.net/projects/alexandria-dev/ ) is an 
open-sourced project management system.

A modified version is used by the highly popular sourceforge.net web
site, which hosts a large percentage of all open source projects. 

====================================================================== 
2) Description of vulnerabilities 

a) Upload spoofing 

Both Alexandria's "docman/new.php" script and its "patch/index.php" 
script have got upload spoofing security holes, that is, they allow 
an attacker to fool them into treating any file on the web server 
as if it is the uploaded file. 

When uploading a file, PHP stores it in a temporary file and 
saves its location in the global variable named by the <input 
type="file"..> tag's name attribute. The programmer is supposed to 
check that the file really was uploaded, by using functions such 
as "is_uploaded_file()" or "move_uploaded_file()", but lots of people 
forget that. 

By POSTing some normal <input type="text"..> data to the two 
scripts mentioned above, with the same name attribute as the file 
upload, an attacker can exploit this and retrieve "/etc/passwd", 
"/etc/local.inc" with SourceForge's database username/password
combination, or other important files. 

Here is an example. A normal upload HTML form might look like this: 

<form method="POST" enctype="multipart/form-data" 
action="script.php"> 
<input type="file" name="thefile" size="30"> 
<input type="submit" value="Upload it!"> 
</form> 

To conduct upload spoofing on a vulnerable program like SourceForge, 
an attacker can use this form instead: 

<form method="POST" enctype="multipart/form-data" 
action="script.php"> 
<input type="text" name="thefile" value="/etc/passwd" size="30"> 
<input type="submit" value="Upload it!"> 
</form> 

b) Spamming and CRLF Injection 

Alexandria's "sendmessage.php" script tries to prevent people from 
using it for spamming, by only allowing "To" addresses that contain 
the domain of the current Alexandria installation. It is very 
easy to get around, though. If the domain is "our-site", a spammer
can use the power of RFC 2822 to construct an e-mail address like
"our-site <mike@someothersite.net>", which will fool Alexandria into
allowing e-mails to mike@someothersite.net, as its domain is found
somewhere in the address. 

The "sendmessage.php" script also suffers from CRLF Injection, 
allowing people to add new mail headers so that they can send HTML 
mails for instance. 

c) Cross Site Scripting 

Users' real names, users' resumes (under skills profile), short 
and long job descriptions as well as short project descriptions 
all suffer from Cross Site Scripting problems. This means that 
malicious users may steal other users' cookies or perform actions 
under their names. 

====================================================================== 
3) Affected Software 

At least Alexandria versions 2.5 and 2.0 are vulnerable to these 
problems. 

WebSite: 
http://sourceforge.net/projects/alexandria-dev/

====================================================================== 
4) Severity 

Rating:  Highly critical 
Impact:  Cross Site Scripting 
          Exposure of system information 
          Security Bypass 
Where:   From Remote 

====================================================================== 
5) Solution 

There will not be issued a new release. The source code is no longer
supported by SourceForge / VASoftware.

The latest version of the commercial solution "SourceForge Enterprise
Edition" is not believed to be vulnerable.

====================================================================== 
6) Time Table 

19/03/2003 - SourceForge.net contacted 
19/03/2003 - SourceForge.net confirmed 
21/03/2003 - SourceForge.net asked us to hold until 26/3/2003 
28/03/2003 - Vulnerability public disclosure 

We have also contacted other sites believed to use code derived from
SourceForge / Alexandria.

====================================================================== 
7) About Secunia 

Secunia collects, validates, assesses and writes advisories regarding 
all the latest software vulnerabilities disclosed to the public. These 
advisories are gathered in a publicly available database at the 
Secunia website: 
http://www.secunia.com/

Secunia offers services to our customers enabling them to receive all 
relevant vulnerability information to their specific system 
configuration. 

Secunia offers a FREE mailing list called Secunia Security Advisories: 
http://www.secunia.com/subscribe_secunia_security_advisories/?5 

====================================================================== 
8) Credits 

Discovered by Ulf Harnhammar

====================================================================== 
9) Verification 

Please verify this advisory by visiting the Secunia website. 
http://www.secunia.com/secunia_research/2003-2/

======================================================================

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC