<<< Date Index >>>     <<< Thread Index >>>

Advisory 01/2005: Fileupload/download vulnerability in Trac



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                    Happy Python Hackers Project
                        www.hardened-php.net

                      -= Security  Advisory =-



     Advisory: Fileupload/download vulnerability in Trac
 Release Date: 2005/06/20
Last Modified: 2005/06/20
       Author: Stefan Esser [sesser@xxxxxxxxxxxxxxxx]

  Application: Trac <= 0.8.3
     Severity: An input validation flaw within Trac allows 
               download/upload of files and therefore can lead to 
               remote code execution in some configurations
         Risk: Medium to High
Vendor Status: Vendor has released an updated version
   References: http://www.hardened-php.net/advisory-012005.php


Overview:

   Quote from http://www.edgewall.com
   "Trac is an enhanced wiki and issue tracking system for software 
   development projects. Trac uses a minimalistic approach to web-
   based software project management. Our mission; to help developers 
   write great software while staying out of the way. Trac should 
   impose as little as possible on a team's established development 
   process and policies.

   It provides an interface to Subversion, an integrated Wiki and 
   convenient report facilities.

   Trac allows wiki markup in issue descriptions and commit messages, 
   creating links and seamless references between bugs, tasks, 
   changesets, files and wiki pages. A timeline shows all project 
   events in order, making getting an overview of the project and 
   tracking progress very easy."

   During the evaluation of Trac an input validation vulnerability
   was discovered which can lead to arbitrary up- and downloading
   of files with the permission of the web server. Under some
   circumstances this can lead remote code execution, depending
   on the configuration of the webserver and the permissions on
   the directories within the document root.


Details:

   Trac's wiki and ticket systems allows to add attachments to 
   wiki entries and bug tracker tickets. These attachments are
   stored within directories that are determined by the id of
   the corresponding ticket or wiki entry. 
   
   Due to a missing validation of the id parameter it is possible
   for an attacker to supply arbitrary paths to the upload and
   attachment viewer scripts. This means that a potential attacker
   can retrieve any file accessible by the webserver user.
   
   Additionally it is possible to upload arbitrary files (up to
   a configured file length) to any place the webserver has write
   access too.
   
   For obvious reasons this can lead to the execution of arbitrary
   code if it possible to upload files to the document root or
   it's subdirectories. One example of a configuration would be f.e. 
   running Trac and s9y/wordpress with writeable content directories
   on the same webserver.
   
   Another potential usage of this exploit would be to abuse Trac 
   powered webservers as storage for f.e. torrent files.


Proof of Concept:

   The Hard^H^H^H Happy Python Hackers Project is not going 
   to release an exploit for this vulnerability to the public.


Disclosure Timeline:

   16. June 2005 - Contacted edgewall via email
   19. June 2005 - Vendor released bugfixed version
   20. June 2005 - Public disclosure


Recommendation:

   We strongly recommend to upgrade to the vendor supplied
   new version 
      
      Trac 0.8.4 
      http://ftp.edgewall.com/pub/trac/trac-0.8.4.tar.gz


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFCtfT7RDkUzAqGSqERAty0AKC8fRDxP8emed7m4Cm6IdnXJRwm/gCfT9u8
AcCaR+tH9495KAZMK8a9n1k=
=w7nq
-----END PGP SIGNATURE-----