-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: PHProjekt (Remote) Include Vulnerabilities Release Date: 2006/09/29 Last Modified: 2006/09/29 Author: Stefan Esser [sesser (at) hardened-php (dot) net [email concealed]] Application: PHProjekt 5.1.1 Severity: An unverified path may allow an attacker to inject and execute arbitrary PHP code Risk: Critical Vendor Status: Vendor has a released an updated version References: http://www.hardened-php.net/advisory_062006.129.html Overview: Quote from http://www.phprojekt.com "PHProjekt is a modular application for the coordination of group activities and to share informations and document via intranet and internet. Components of PHProjekt: Group calendar, project management, time card system, file management, contact manager, mail client and 9 other modules ...(feature list). PHProjekt supports many protocols like ldap, soap and webdav and is available for 36 languages and 7 databases." While searching for applications that are vulnerable to a new class of vulnerabilities inside PHP applications we took a quick look into the current PHProjekt source code and discovered that a (remote) include vulnerability had been (re)introduced. By overwriting a variable with user input it is possible to inject and execute arbitrary PHP code. Overwriting this variable is possible regardless of the register_globals setting. It is recommended to install our Suhosin (http://www.suhosin.org) PHP extension, because it is the only solution that stops 100% of all URL includes. Please note that allow_url_fopen is NOT a 100% protection because it does NOT stop all URL types. Details: PHProjekt includes several files from different paths. In earlier versions it was possible to overwrite the base path variable $path_pre from the outside and use it to include arbitrary files or URLs. This vulnerability had been fixed by checking the content of $path_pre and bailing out of the PHP script in case of an attack. Unfortunately the code within PHProjekt was moved around, which resulted in $lib_path and $lang_path beeing filles before the request variables are extracted into the global namespace by the PHP script. (This globalisation is done by the code of PHProjekt and has nothing todo with PHP's register_globals feature). Because of this construction it is possible to include arbitrary PHP files by filling $lib_path or $lang_path through f.e. the URL. This vulnerability was now fixed by modifying all include paths to use constants instead of variables, because constants cannot be overwritten once they are set. Proof of Concept: The Hardened-PHP Project is not going to release exploits for this vulnerability to the public. Disclosure Timeline: 21. September 2006 - Contacted PHProjekt developers by email 28. September 2006 - Updated PHProjekt was released 29. September 2006 - Public Disclosure Recommendation: It is strongly recommended to upgrade to the newest version of PHProejekt 5.1.2 which you can download at: http://www.phprojekt.com/download/phprojekt.tar.gz As usual we very stronlgy recommend to install our Suhosin PHP extension, because it is the only solution that stops all PHP remote URL includes. The often advertised allow_url_fopen configuration directive does NOT protect against 'php://input' or 'data:' URL types. Suhosin additionally can stop several directory traversal attacks that try to include local files. Grab your copy and more information at: http://www.hardened-php.net/suhosin/index.html GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2006 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFFHQmFRDkUzAqGSqERAsoTAJ4gmFLTcReHvo6EvtxlZXHI41tPDgCg1ppS 7THEd6ldw69+Hx9dO9zkcew= =NXXs -----END PGP SIGNATURE-----