Double Choco Latte Remote Code Execution
##########################################################
# GulfTech Security Research April 8th, 2005
##########################################################
# Vendor : Michael Dean
# URL : http://dcl.sourceforge.net/
# Version : Double Choco Latte 0.9.4 .3 && Earlier
# Risk : Multiple Vulnerabilities
##########################################################
Description:
Double Choco Latte is a GNU Enterprise package that provides basic
project management capabilities, time tracking on tasks, call
tracking, email notifications, online documents, statistical reports,
a report engine, and more features are either working or being
developed/planned. It can be displayed inside of a phpGroupWare
installation or be used stand-alone. It is licensed under the GPL
(GNU Public License), which means it is free to study, distribute,
modify, and use. Double Choco Latte 0.9.4 .3 and earlier are prone
to php code execution vulnerabilities which allows an attacker to run
php code with privileges of the webserver.
Remote Code Execution:
Double Choco Latte is vulnerable to a remote code execution issue
that is the result of unsafe eval() calls. Using this issue an attacker
could execute arbitrary code on the webserver.
http://dcl/main.php?menuAction=htmlTickets.show;system(id);ob_start
The trailing ob_start is only there to prevent error messages. Let's
have a look at one of the examples of what causes this vulnerability.
if (IsSet($menuAction) && $menuAction != 'clearScreen')
{
if ($g_oSec->ValidateMenuAction() == true)
{
list($class, $method) = explode(".", $menuAction);
$obj = CreateObject('dcl.' . $class);
eval("\$obj->$method();");
}
else
{
commonHeader();
PrintPermissionDenied();
}
}
else
{
commonHeader();
}
As we see from the above code, $class and $method are never sanatized
and taken directly from the $menuAction variable. This is very unsafe
as this data is then passed directly into eval(). After requesting a
malicious url (for example, the one given above) the eval() becomes
eval("htmlTickets->show;system(id);ob_start();");
This issue has been resolved in all currently available versions and
all users of DCL need to upgrade immediately.
Cross Site Scripting:
The fix for the code execution introduced a cross site scripting issue.
Only people with version 0.9.4.3 need to worry about this issue
Solution:
Michael Dean was very very quick to respond to, and handle these
vulnerabilities, and the eval() issues seem to have been solved.
All users should upgrade immediately.
Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00066-04082005
Upgrades can be found here:
http://sourceforge.net/project/showfiles.php?group_id=1424
Credits:
James Bercegay of the GulfTech Security Research Team