oss-sec mailing list archives
CVE for ISPConfig 3.0.4.3 "Add new Webdav user" can chmod and chown entire server from client interface
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 08 Apr 2012 15:22:54 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Main website: http://www.ispconfig.org/ CC'ing various addresses I found on their site/docs. They don't appear to have any real contact info. Originally seen on Reddit, link to bug report: http://bugtracker.ispconfig.org/index.php?do=details&task_id=2157 Filed by "hakong" ======================== Details Through the client interface, I was able to chmod and chown the root directory (/) of my server to web3:client9 and 770 using the "Add new Webdav user" by using ../../../../../../../../../../../../ as a path. This can probably be exploited in some way too. Just tried this on a fresh install of ISPConfig version 3.0.4.3, and it worked, had to re-install the entire VM. This has to be fixed as soon as possible. ======================== Quick check of svn and generate log (to see revisions) and a diff (to look at the interesting revision, check date in bug report): svn co svn://svn.ispconfig.org/ispconfig3/trunk/ cd trunk svn log -v --limit 10 | less svn diff -r 3018:3027 > ../3018-3027.diff and we then this: Index: interface/web/sites/webdav_user_edit.php =================================================================== - --- interface/web/sites/webdav_user_edit.php (revision 3018) +++ interface/web/sites/webdav_user_edit.php (revision 3027) @@ -114,7 +114,9 @@ */ if(isset($this->dataRecord['username']) && trim($this->dataRecord['username']) == '') $app->tform->errorMessage .= $app->tform->lng('username_error_empty').'<br />'; if(isset($this->dataRecord['username']) && empty($this->dataRecord['parent_domain_id'])) $app->tform->errorMessage .= $app->tform->lng('parent_domain_id_error_empty').'<br />'; - - + if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'],'..')) $app->tform->errorMessage .= $app->tform->lng('dir_dot_error').'<br />'; + if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'],'./')) $app->tform->errorMessage .= $app->tform->lng('dir_slashdot_error').'<br />'; + parent::onSubmit(); } Which confirms this flaw quite nicely. Please use CVE-2012-2087 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPggGuAAoJEBYNRVNeJnmTxbsP/2jDl88uR6oxoAEpBIkvrNzT xFD8mcMx3ak5lapXyLMFt1yjOXo4uF7DYlLi76i12fvJ3AO+4+/J+tH7A0Do8Vf3 sH8IAcYZ6iq+NnNF8MhnpTia6dC38gCYb6fqGxL8OrR0jxRDv2XfmKjOHPKQ9x5S DL/wmDuj4wKfOjoJbmqEpk6ECry2zWBREQTASGjChkLGKt9LvLCtRrkfq2yAidMD zhYKGyn0YRcySKV2EURP0hHw2Z0N5aVx3PBgu6CfUM2/KrcXx/sC8e3twP43uoC0 ySpFLgrDrLcjwY9/Yzvbiqor2iA2lse2rXjrVAbwjMJ8pwIEhOj6gGq26tQR/WYF RoJpY5ZDXYuN1qSO2bAkD1xP3p/6sGrvz9hejc6X1DJGYEEv5Aje3XvZA1PJ4hZf 31ASe/MZMiHSN6YbyClz6JdUG9aQW4qPWI7Pl1DE5SqenwU8eQvhNm+S/yMebwyZ skcMFojcZvFhd/HqR8idgUvyQKJ3ZlWxOooX6AOiyB8kghTt5oKUOUhPzs36rh0h WdHEnh23OCjPcxbVZsxh4XkTkH9K6oc770TvVJ7TrieAXZmvbSexyK2FP7ShUhhx kojxB1nBeIcYIX//Dc/JZUZHyrTjNeAm3RobtY0srgYu8FTme6rk45CTw+dmHN2h onlMmeJvYm7vrSw18a0/ =1Dxw -----END PGP SIGNATURE-----
Current thread:
- CVE for ISPConfig 3.0.4.3 "Add new Webdav user" can chmod and chown entire server from client interface Kurt Seifried (Apr 08)
- Re: CVE for ISPConfig 3.0.4.3 "Add new Webdav user" can chmod and chown entire server from client interface ISPConfig.org - Till Brehm (Apr 09)
- Re: Re: CVE for ISPConfig 3.0.4.3 "Add new Webdav user" can chmod and chown entire server from client interface ISPConfig.org - Till Brehm (Apr 10)