|
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web
site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Chora CVS/SVN Viewer Remote Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.horde.org/chora/> Chora is "the Horde Project's CVS/SVN
repository viewer. (SVN support only in CVS version) It is used to provide
web-based access to repositories. Currently, these features include:
* Directory-based views, with a summary of the most recent activity.
* View full log history on a single file, with the ability to stick to a
single branch.
* Request arbitrary differences between versions and branches. These can
be viewed in a variety of formats, ranging from raw diff output to
human-readable HTML
* Visual branch viewing for a single file, which graphically represents
the history of the file with respect to branches from the main trunk of
development
* Annotation (otherwise known as 'blame') support, which shows which
authors is responsible for which portions of a file's contents".
During a security audit of Chora a vulnerability within the diff viewing
functionality was discovered. This hole allows arbitrary shellcode
injection. Combined with PHP's file upload functionality this gives the
opportunity to upload arbitrary binaries and to execute them. (In default
configurations) Concurrent Versions System (CVS) is the dominant
open-source version control software that allows developers to access the
latest code using a network connection.
DETAILS
Vulnerable Systems:
* Chora version 1.2.1 and prior
Immune Systems:
* Chora version 1.2.2
Because Chora runs on a number of bigger project's web servers it was
audited for the most obvious PHP programming mistakes. This reveals a
problem in the diff handling code for CVS and SVN repositories. While the
SVN support is only in the CVS and the 3.0 ALPHA version of Chora the CVS
code exists since the very first version of Chora.
In both cases the diff utility is executed via exec() with several
parameters. When the actual shell command is constructed a certain
variable (the number of diff context lines) is assumed to be always a
number and therefore not properly escaped. Unfortunately there is nowhere
a check within Chora to ensure that the function is only called with a
number and therefore it is possible to inject an arbitrary shell command
into the command stream.
On a default configured server this means a remote attacker is able to use
PHP's file upload functionality to upload an arbitrary binary to the /tmp
directory (where PHP's temporary files are usually stored) of the server,
chmod it to executable and execute it.
The nature of this problem allows it, to exploit this bug disguised as
usual diff request through a single POST request. During the analysis of
the cvshome.org hack incident Derek Robert Price discovered a
null-termination issue in the patch for the previous CVS security issue.
This issue was not deeply analyzed but it is believed that it can only
cause crashes.
Disclosure Timeline:
12 June 2004 - The Horde project was informed about the vulnerability.
Additionally the information was shared with vendor-sec and a few bigger
projects running Chora. In the night Horde released Chora 1.2.2 which
fixes this issue without notification. The release announcement downplays
the vulnerability as minor security fixes.
13 June 2004 - Public Disclosure after realization that the Horde project
has already released a new version.
Recommendation:
It is strongly recommended to upgrade to the latest version of Chora,
because in every default configuration this problem is a serious threat.
ADDITIONAL INFORMATION
The information has been provided by <mailto:s.esser@e-matters.de> Stefan
Esser.
The original article can be found at:
<http://security.e-matters.de/advisories/102004.html>
http://security.e-matters.de/advisories/102004.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages.
|
