|
|
|
|
| |
"PHProjekt is a modular application for the coordination of group activities and to share informations and document via Intranet and internet. Components of PHProjekt: Group calendar, project management, time card system, file management, contact manager, mail client and 9 other modules ...(feature list). PHProjekt supports many protocols like ldap, soap and webdav and is available for 36 languages and 7 databases."
While searching for applications that are vulnerable to a new class of vulnerabilities inside PHP applications we took a quick look into the current PHProjekt source code and discovered that a (remote) include vulnerability had been (re)introduced.
By overwriting a variable with user input it is possible to inject and execute arbitrary PHP code. Overwriting this variable is possible regardless of the register_globals setting. |
| |
Credit:
The information has been provided by Stefan Esser.
The original article can be found at: http://www.hardened-php.net/advisory_062006.129.html
|
| |
PHProjekt includes several files from different paths. In earlier versions it was possible to overwrite the base path variable $path_pre from the outside and use it to include arbitrary files or URLs. This vulnerability had been fixed by checking the content of $path_pre and bailing out of the PHP script in case of an attack.
Unfortunately the code within PHProjekt was moved around, which resulted in $lib_path and $lang_path beeing filles before the request variables are extracted into the global namespace by the PHP script. (This globalisation is done by the code of PHProjekt and has nothing todo with PHP's register_globals feature).
Because of this construction it is possible to include arbitrary PHP files by filling $lib_path or $lang_path through f.e. the URL.
This vulnerability was now fixed by modifying all include paths to use constants instead of variables, because constants cannot be overwritten once they are set.
Disclosure Timeline:
21. September 2006 - Contacted PHProjekt developers by email
28. September 2006 - Updated PHProjekt was released
29. September 2006 - Public Disclosure
Recommendation:
It is strongly recommended to upgrade to the newest version of PHProejekt 5.1.2 which you can download at: http://www.phprojekt.com/download/phprojekt.tar.gz
As usual we very strongly recommend to install our Suhosin PHP extension, because it is the only solution that stops all PHP remote URL includes. The often advertised allow_url_fopen configuration directive does NOT protect against 'php://input' or 'data:' URL types. Suhosin additionally can stop several directory traversal attacks that try to include local
|
|
|
|
|
