double094.txt

`  
  
##########################################################  
# GulfTech Security Research April 8th, 2005  
##########################################################  
# Vendor : Michael Dean  
# URL : http://dcl.sourceforge.net/  
# Version : Double Choco Latte 0.9.4 .3 && Earlier  
# Risk : Multiple Vulnerabilities  
##########################################################  
  
  
  
Description:  
Double Choco Latte is a GNU Enterprise package that provides basic   
project management capabilities, time tracking on tasks, call   
tracking, email notifications, online documents, statistical reports,   
a report engine, and more features are either working or being   
developed/planned. It can be displayed inside of a phpGroupWare   
installation or be used stand-alone. It is licensed under the GPL   
(GNU Public License), which means it is free to study, distribute,   
modify, and use. Double Choco Latte 0.9.4 .3 and earlier are prone   
to php code execution vulnerabilities which allows an attacker to run   
php code with privileges of the webserver.  
  
  
  
Remote Code Execution:  
Double Choco Latte is vulnerable to a remote code execution issue  
that is the result of unsafe eval() calls. Using this issue an attacker  
could execute arbitrary code on the webserver.  
  
http://dcl/main.php?menuAction=htmlTickets.show;system(id);ob_start  
  
The trailing ob_start is only there to prevent error messages. Let's   
have a look at one of the examples of what causes this vulnerability.   
  
if (IsSet($menuAction) && $menuAction != 'clearScreen')  
{  
if ($g_oSec->ValidateMenuAction() == true)  
{  
list($class, $method) = explode(".", $menuAction);  
$obj = CreateObject('dcl.' . $class);  
eval("\$obj->$method();");  
}  
else  
{  
commonHeader();  
PrintPermissionDenied();  
}  
}  
else  
{  
commonHeader();  
}  
  
As we see from the above code, $class and $method are never sanatized  
and taken directly from the $menuAction variable. This is very unsafe  
as this data is then passed directly into eval(). After requesting a  
malicious url (for example, the one given above) the eval() becomes  
  
eval("htmlTickets->show;system(id);ob_start();");  
  
This issue has been resolved in all currently available versions and  
all users of DCL need to upgrade immediately.  
  
  
  
Cross Site Scripting:  
The fix for the code execution introduced a cross site scripting issue.  
Only people with version 0.9.4.3 need to worry about this issue  
  
  
  
Solution:  
Michael Dean was very very quick to respond to, and handle these   
vulnerabilities, and the eval() issues seem to have been solved.   
All users should upgrade immediately.  
  
  
  
Related Info:  
The original advisory can be found at the following location  
http://www.gulftech.org/?node=research&article_id=00066-04082005  
  
Upgrades can be found here:  
http://sourceforge.net/project/showfiles.php?group_id=1424  
  
  
  
Credits:  
James Bercegay of the GulfTech Security Research Team  
`