PHProjekt 未限制文件上传漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191209 漏洞类型 输入验证
发布时间 2007-03-14 更新时间 2007-06-20
CVE编号 CVE-2007-1639 CNNVD-ID CNNVD-200703-602
漏洞平台 N/A CVSS评分 4.6
|漏洞来源
https://www.securityfocus.com/bid/22956
https://cxsecurity.com/issue/WLB-2007030174
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-602
|漏洞详情
PHProjekt5.2.0中存在未限制文件上传漏洞。当magic_quotes_gpc被禁用时,远程认证用户可以借助一个包含有可执行性扩展名的文件,上传和执行任意的PHP代码。该文件可以被(1)日历或(2)文件管理模块或其他未明文件访问。
|漏洞EXP
n.runs AG
http://www.nruns.com/                              security at nruns.com
n.runs-SA-2007.006                                           14-Mar-2007
________________________________________________________________________

Vendor:                Mayflower GmbH, http://www.mayflower.de
Affected Products:     PHProjekt 5.2.0
Vulnerability:         Privilege escalation
Risk:                  HIGH

________________________________________________________________________

Vendor communication:

2006/12/31        initial notification of Mayflower
  2007/01/02        Mayflower Response
  2007/01/02        PGP keys exchange
  2007/01/02        PoCs sent to Mayflower
  2007/01/11        Mayflower confirmed the bugs
  2007/01/30        Mayflower fixed the bugs and sends RC1
  2007/01/30        n.runs informs Mayflower about a persisting XSS 
                    vulnerability
  2007/02/02        Mayflower confirmed the bug
  2007/02/08        Mayflower fixed the bugs and sends RC2   
  2007/02/12        n.runs informs Mayflower about a persisting XSS
                    vulnerability
  2007/02/15        Mayflower confirmed the bug
  2007/02/20        Mayflower fixed the bug and sends RC3
  2007/02/21        n.runs verifies RC3 and reported a possible flaw 
                    within the new XSS protection library
  2007/03/14        PHProjekt 5.2.1 available
  2007/03/14        Coordinated disclosure

________________________________________________________________________

Overview:
Quoting http://www.phprojekt.com/features.php?&newlang=eng 
"PHProjekt is a modular application for the coordination of group 
activities and to share informations and document via the web.
Components of PHProjekt: Group calendar, project management, time card 
system, file management, contact manager, mail client and many other 
modules.
PHProjekt supports many protocols like ldap, xml/soap and webdav and 
is available for 38 languages and 9 databases."

Description:
The vendor has been informed that every authenticated user can upload 
any files, e.g., through the calendar or file management module. 
With this privilege it is possible to upload PHP files with arbitrary 
code, which can subsequently be instantly executed. This suggests a 
privilege escalation is possible.

Solution:
The vulnerabilities were reported on Dec 31 2006 and an update has 
been released on Mar 14 2007.
______________________________________________
________________________________________________________________________

Credit: 
Bugs found by Alexios Fakos of n.runs AG. 
________________________________________________________________________

References: 
http://www.nruns.com/security_advisory_phprojekt_privilege_escalation.ph
p
________________________________________________________________________

Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact 
security (at) nruns (dot) com [email concealed] for permission. Use of the advisory constitutes 
acceptance for use in an "as is" condition. All warranties are excluded.
In no event shall n.runs be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if n.runs has been advised of the possibility of 
such damages.

Copyright 2007 n.runs AG. All rights reserved. Terms of apply.
|受影响的产品
PHProjekt PHProjekt 5.2 PHProjekt PHProjekt 5.1.2 PHProjekt PHProjekt 5.1.1 PHProjekt PHProjekt 5.1 Gentoo Linux
|参考资料

来源:BID
名称:22956
链接:http://www.securityfocus.com/bid/22956
来源:SECUNIA
名称:24509
链接:http://secunia.com/advisories/24509
来源:XF
名称:phprojekt-calendarfile-file-upload(32995)
链接:http://xforce.iss.net/xforce/xfdb/32995
来源:BUGTRAQ
名称:20070314n.runs-SA-2007.006-PHProjekt5.2.0-Privilegeescalation
链接:http://www.securityfocus.com/archive/1/archive/1/462785/100/100/threaded
来源:www.phprojekt.com
链接:http://www.phprojekt.com/index.php?name=News&file=article&sid=276
来源:MISC
链接:http://www.nruns.de/security_advisory_phprojekt_privilege_escalation.php
来源:OSVDB
名称:35163
链接:http://osvdb.org/35163
来源:SREASON
名称:2476
链接:http://securityreason.com/securityalert/2476
来源:GENTOO
名称:GLSA-200706-07
链接:http://security.gentoo.org/glsa/glsa-200706-07.xml
来源:SECUNIA
名称:25748
链接:http://secunia.com/advisories/25748