oss-sec mailing list archives

Re: CVE for ISPConfig 3.0.4.3 "Add new Webdav user" can chmod and chown entire server from client interface

From: "ISPConfig.org - Till Brehm" <t.brehm () ispconfig org>
Date: Mon, 09 Apr 2012 12:42:08 +0200

The Bug has been filed by "hakong" on April 3 in the ISPConfigbugtracker and

has been fixed on April 4  in SVN stable branch, Revision 3020.

See bugrepport for fast workaround and patch update instructions:

http://bugtracker.ispconfig.org/index.php?do=details&task_id=2157<http://bugtracker.ispconfig.org/index.php?do=details&task_id=2157>

or get revision 3020 from ISPConfig 3.0.4 SVN stable branch to get theupdate:


svn://svn.ispconfig.org/ispconfig3/branches/ispconfig-3.0.4

The Bug is fixed in ISPConfig 3.0.4.4 which will get released on April10, 2012.


The contact info of the ispconfig project can be found here:

http://www.ispconfig.org/imprint/

Till Brehm
ISPConfig.org

--
ISPConfig UG (haftungsbeschränkt)
Ritterstrasse 21
21335 Lüneburg
Tel +49-4131-707771
Fax +49-4131-407175
Email info () ispconfig org
--




Am 08.04.2012 23:22, schrieb Kurt Seifried:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Main website: http://www.ispconfig.org/

CC'ing various addresses I found on their site/docs. They don't appear
to have any real contact info.

Originally seen on Reddit, link to bug report:

http://bugtracker.ispconfig.org/index.php?do=details&task_id=2157

Filed by "hakong"
========================
Details
Through the client interface, I was able to chmod and chown the root
directory (/) of my server to web3:client9 and 770 using the "Add new
Webdav user" by using ../../../../../../../../../../../../ as a path.
This can probably be exploited in some way too.
Just tried this on a fresh install of ISPConfig version 3.0.4.3, and
it worked, had to re-install the entire VM. This has to be fixed as
soon as possible.
========================

Quick check of svn and generate log (to see revisions) and a diff (to
look at the interesting revision, check date in bug report):

svn co svn://svn.ispconfig.org/ispconfig3/trunk/
cd trunk
svn log -v --limit 10 | less
svn diff -r 3018:3027>  ../3018-3027.diff

and we then this:

Index: interface/web/sites/webdav_user_edit.php
===================================================================
- --- interface/web/sites/webdav_user_edit.php  (revision 3018)
+++ interface/web/sites/webdav_user_edit.php    (revision 3027)
@@ -114,7 +114,9 @@
                 */
                if(isset($this->dataRecord['username'])&&
trim($this->dataRecord['username']) == '') $app->tform->errorMessage
.= $app->tform->lng('username_error_empty').'<br />';
                if(isset($this->dataRecord['username'])&&
empty($this->dataRecord['parent_domain_id']))
$app->tform->errorMessage .=
$app->tform->lng('parent_domain_id_error_empty').'<br />';
- -
+               if(isset($this->dataRecord['dir'])&&
stristr($this->dataRecord['dir'],'..')) $app->tform->errorMessage .=
$app->tform->lng('dir_dot_error').'<br />';
+               if(isset($this->dataRecord['dir'])&&
stristr($this->dataRecord['dir'],'./')) $app->tform->errorMessage .=
$app->tform->lng('dir_slashdot_error').'<br />';
+               
                parent::onSubmit();
        }

Which confirms this flaw quite nicely.

Please use CVE-2012-2087 for this issue.

- --Kurt Seifried Red Hat Security Response Team (SRT)

PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPggGuAAoJEBYNRVNeJnmTxbsP/2jDl88uR6oxoAEpBIkvrNzT
xFD8mcMx3ak5lapXyLMFt1yjOXo4uF7DYlLi76i12fvJ3AO+4+/J+tH7A0Do8Vf3
sH8IAcYZ6iq+NnNF8MhnpTia6dC38gCYb6fqGxL8OrR0jxRDv2XfmKjOHPKQ9x5S
DL/wmDuj4wKfOjoJbmqEpk6ECry2zWBREQTASGjChkLGKt9LvLCtRrkfq2yAidMD
zhYKGyn0YRcySKV2EURP0hHw2Z0N5aVx3PBgu6CfUM2/KrcXx/sC8e3twP43uoC0
ySpFLgrDrLcjwY9/Yzvbiqor2iA2lse2rXjrVAbwjMJ8pwIEhOj6gGq26tQR/WYF
RoJpY5ZDXYuN1qSO2bAkD1xP3p/6sGrvz9hejc6X1DJGYEEv5Aje3XvZA1PJ4hZf
31ASe/MZMiHSN6YbyClz6JdUG9aQW4qPWI7Pl1DE5SqenwU8eQvhNm+S/yMebwyZ
skcMFojcZvFhd/HqR8idgUvyQKJ3ZlWxOooX6AOiyB8kghTt5oKUOUhPzs36rh0h
WdHEnh23OCjPcxbVZsxh4XkTkH9K6oc770TvVJ7TrieAXZmvbSexyK2FP7ShUhhx
kojxB1nBeIcYIX//Dc/JZUZHyrTjNeAm3RobtY0srgYu8FTme6rk45CTw+dmHN2h
onlMmeJvYm7vrSw18a0/
=1Dxw
-----END PGP SIGNATURE-----

Current thread:

CVE for ISPConfig 3.0.4.3 "Add new Webdav user" can chmod and chown entire server from client interface Kurt Seifried (Apr 08)
- Re: CVE for ISPConfig 3.0.4.3 "Add new Webdav user" can chmod and chown entire server from client interface ISPConfig.org - Till Brehm (Apr 09)
  - Re: Re: CVE for ISPConfig 3.0.4.3 "Add new Webdav user" can chmod and chown entire server from client interface Kurt Seifried (Apr 09)
- Re: Re: CVE for ISPConfig 3.0.4.3 "Add new Webdav user" can chmod and chown entire server from client interface ISPConfig.org - Till Brehm (Apr 10)