syscp1215-exec.txt

2007-02-08T00:00:00
ID PACKETSTORM:54277
Type packetstorm
Reporter Florian Lippert
Modified 2007-02-08T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
The System Control Panel  
www.SysCP.org  
  
-= Security Advisory =-  
  
  
Advisory: Ability to inject and execute any code as root in SysCP  
Release Date: 2007/02/02  
Last Modified: 2007/02/07  
Author: Florian Lippert <florian.lippert@syscp.org>  
Application: SysCP <= 1.2.15  
Severity: Arbitrary code execution  
Risk: Critical  
Status: Patch and new release provided  
  
  
Overview:  
  
SysCP, the System Control Panel is a server administration tool   
which enables an internet service provider to give their customers   
a web-based application to administrate their email addresses,   
their subdomains etc.   
Two security issues, both making a remote code execution possible,  
were discovered recently:  
1) Within the panel, a customer can inject any malicious code which will  
be executed by the cronjob, which runs as super user. This security  
issue was discovered by Daniel Schulte <daniel@byteways.de> and only  
affects SysCP 1.2.15  
2) With having access to the syscp-database one could insert any file to  
be executed into panel_cronscript table. This security issue was  
discovered by Martin Burchert <eremit@syscp.org> and affects all  
SysCP releases from 1.2.3 up to 1.2.15.  
  
Details:  
  
1) It's possible for a customer to create a directory-structure like  
"; cp /var/www/syscp/lib/userdata.inc.php /var/kunden/webs/web1/; ls "  
inside his homedir. If the customer tries to protect this directory with  
the control panel, the cronscript will execute this command as root and  
the customer has the MySQL-root-password inside his ftp-directory.  
2) If an attacker has access to the database he could add any php file to  
the table 'panel_cronscript', for example one that he uploaded into his  
dir and which adds a new root-user or installs a backdor etc. Due to not  
validating or restricting the files which are "include_onced" on  
scripts/cronscript.php, line 139 (as of SysCP 1.2.15) this file will be  
executed as the user which also executes the cronscript, normally root.  
  
Recommendation:  
  
For security issue #1 patch your installation with the provided patch  
(http://files.syscp.org/misc/syscp-1.2.15s.patch) or upgrade to  
SysCP 1.2.16, which fixes both security issues.  
  
GPG-Key:  
pub 1024D/5B97D56B 2007-02-07 Florian Lippert <flo@syscp.org>  
Fingerprint: D974 4762 7993 A16E 4249 7BD5 61D3 9CEE 5B97 D56B  
  
EOF  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.5 (Darwin)  
  
iD8DBQFFykJfYdOc7luX1WsRApFVAJ4oAb6sPFmzvUc3dtrtwmfymsW+6wCggQPy  
dP3ag9i/r99Yvs7Dk4JNgDI=  
=cqyF  
-----END PGP SIGNATURE-----  
`