########################################################## # GulfTech Security Research April 8th, 2005 ########################################################## # Vendor : Michael Dean # URL : http://dcl.sourceforge.net/ # Version : Double Choco Latte 0.9.4 .3 && Earlier # Risk : Multiple Vulnerabilities ########################################################## Description: Double Choco Latte is a GNU Enterprise package that provides basic project management capabilities, time tracking on tasks, call tracking, email notifications, online documents, statistical reports, a report engine, and more features are either working or being developed/planned. It can be displayed inside of a phpGroupWare installation or be used stand-alone. It is licensed under the GPL (GNU Public License), which means it is free to study, distribute, modify, and use. Double Choco Latte 0.9.4 .3 and earlier are prone to php code execution vulnerabilities which allows an attacker to run php code with privileges of the webserver. Remote Code Execution: Double Choco Latte is vulnerable to a remote code execution issue that is the result of unsafe eval() calls. Using this issue an attacker could execute arbitrary code on the webserver. http://dcl/main.php?menuAction=htmlTickets.show;system(id);ob_start The trailing ob_start is only there to prevent error messages. Let's have a look at one of the examples of what causes this vulnerability. if (IsSet($menuAction) && $menuAction != 'clearScreen') { if ($g_oSec->ValidateMenuAction() == true) { list($class, $method) = explode(".", $menuAction); $obj = CreateObject('dcl.' . $class); eval("\$obj->$method();"); } else { commonHeader(); PrintPermissionDenied(); } } else { commonHeader(); } As we see from the above code, $class and $method are never sanatized and taken directly from the $menuAction variable. This is very unsafe as this data is then passed directly into eval(). After requesting a malicious url (for example, the one given above) the eval() becomes eval("htmlTickets->show;system(id);ob_start();"); This issue has been resolved in all currently available versions and all users of DCL need to upgrade immediately. Cross Site Scripting: The fix for the code execution introduced a cross site scripting issue. Only people with version 0.9.4.3 need to worry about this issue Solution: Michael Dean was very very quick to respond to, and handle these vulnerabilities, and the eval() issues seem to have been solved. All users should upgrade immediately. Related Info: The original advisory can be found at the following location http://www.gulftech.org/?node=research&article_id=00066-04082005 Upgrades can be found here: http://sourceforge.net/project/showfiles.php?group_id=1424 Credits: James Bercegay of the GulfTech Security Research Team