Traq authenticate function remote code execution

2011-12-27T00:00:00
ID SAINT:0EEDDB7D5E598FEA09A587CCB17004E3
Type saint
Reporter SAINT Corporation
Modified 2011-12-27T00:00:00

Description

Added: 12/27/2011
BID: 50961
OSVDB: 77556

Background

Traq is a PHP5+ and MySQL4+ based Project Tracking system with the ability to host multiple projects.

Problem

The flaw is caused due to admin rights not properly being restricted in the "authenticate()" function in admincp/common.php. This can be exploited to execute arbitrary code.

Resolution

Upgrade to Traq 2.3.1 or later.

References

<http://www.exploit-db.com/exploits/18213>
<http://secunia.com/advisories/47108>

Limitations

This exploit has been tested against Traq 2.3 on Linux.

Platforms

Linux