SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PEAR LiveUser Vendors:   PHP Group
PEAR LiveUser Input Validation Flaws in Processing Cookies Let Remote Users Determine File Existence and Delete Files
SecurityTracker Alert ID:  1015659
SecurityTracker URL:  http://securitytracker.com/id/1015659
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 22 2006
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.16.8 and prior versions
Description:   A vulnerability was reported in PEAR LiveUser. A remote user can determine files and potentially delete files on the target system.

The 'LiveUser.php' script does not properly validate user-supplied input in the 'store_id' variable, which is derived from cookie values.

A remote user can supply a specially crafted cookie value to determine if specified files exist on the target system or to delete files on the target system with the privileges of the target web service.

James Bercegay of the GulfTech Security Research Team discovered this vulnerability.

The original advisory is available at:

http://www.gulftech.org/?node=research&article_id=00103-02212006

Impact:   A remote user can determine if specified files exist on the target system.

A remote user can delete files on the target system with the privileges of the target web service.

Solution:   The vendor has issued a fixed version (0.16.9), available at:

http://pear.php.net/package/LiveUser/download

Vendor URL:  pear.php.net/package/LiveUser/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  PEAR LiveUser File Access Vulnerabilities

##########################################################
# GulfTech Security Research            February 21, 2006
##########################################################
# Vendor : Markus Wolff
# URL : http://pear.php.net/package/LiveUser/
# Version : PEAR LiveUser <= 0.16.8
# Risk : Arbitrary File Access
##########################################################



Description:
LiveUser is a user authentication and permission management
framework that is part of php's PEAR Library. LiveUser has
many different features, including the ability to remember
a user via cookies. Unfortunately there is an issue with
how extracted cookie data is handled by the LiveUser library
within the remember feature which makes it possible for an
attacker to gain access to, and even delete potentially
sensitive files on the webserver. An updated version of the
LiveUser framework has been released, and users are advised
to upgrade to LiveUser 0.16.9



Arbitrary File Access:
There is an arbitrary file access vulnerability in PEAR LiveUser
that allows an attacker to access arbitrary files on the server

$cookieData = $_COOKIE[$this->_options['cookie']['name']];
if (strlen($cookieData) < 65
     // kill all old style remember me cookies
     || (strpos($cookieData, ':') && strpos($cookieData, ':') < 64)
) {
     // Delete cookie if it's not valid, keeping it messes up the
     // authentication process
     $this->deleteRememberCookie();
     $this->_stack->push(LIVEUSER_ERROR_COOKIE, 'error', array(),
         'Wrong data in cookie store in LiveUser::readRememberMeCookie()');
     return false;
}

$store_id = substr($cookieData, 0, 32);
$passwd_id = substr($cookieData, 32, 32);
$handle = substr($cookieData, 64);

$dir = $this->_options['cookie']['savedir'];

$fh = @fopen($dir . '/' . $store_id . '.lu', 'rb');
if (!$fh) {
     $this->deleteRememberCookie();
     $this->_stack->push(LIVEUSER_ERROR_CONFIG, 'exception', array(),
         'Cannot open file for reading');
     return false;
}

$fields = fread($fh, 4096);
fclose($fh);
if (!$fields) {
     $this->deleteRememberCookie();
     $this->_stack->push(LIVEUSER_ERROR_CONFIG, 'exception', array(),
         'Cannot read file');
     return false;
}

The above code is taken from LiveUser.php @ lines 1269-1303 and
clearly shows the $store_id variable being assigned unsanitized
data, which is passed to an fopen called shortly thereafter. The
good news is that as far as I can tell this issues can not be
abused in a real world scenario much further than enumerating
file existence on the local filesystem.



Arbitrary File Deletion:
Similar to the previously mentioned issue, this vulnerability may
allow a malicious user to delete arbitrary files on the local
server by supplying malicious cookie data.

$cookieData = $_COOKIE[$this->_options['cookie']['name']];
if (strlen($cookieData) < 65) {
     $this->_stack->push(LIVEUSER_ERROR_COOKIE, 'error', array(),
         'Wrong data in cookie store in LiveUser::deleteRememberCookie()');
     return false;
}

$store_id = substr($cookieData, 0, 32);
@unlink($this->_options['cookie']['savedir'] . '/'.$store_id.'.lu');

The above code is also taken from LiveUser.php and resides @ lines
1343-1351. Here we see user supplied data being used in an unlink
call which could allow an attacker to delete arbitrary files on the
local server by traversing out of the cwd and terminating the fopen
call with a null byte.



Solution:
An updated version of the LiveUser framework has been released to
address these issues. The current release is LiveUser 0.16.9 and
users should update their LiveUser libraries as soon as possible.
Special thanks to Lukas Smith for a very prompt resolution!



Credits:
James Bercegay of the GulfTech Security Research Team



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00103-02212006

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC