rt-sa-2005-005.txt

rt-sa-2005-005.txt: Posted Feb 25, 2005; Site tsyklon.informatik.rwth-aachen.de; CitrusDB suffers from a directory traversal vulnerability in version 0.3.6.; tags | advisory; advisories | CVE-2005-0411; SHA-256 | 862fc966468232bfe5cd805255e5455b9ac1d1a771dd9d262466e00e066ca65f; Download | Favorite | View

rt-sa-2005-005.txt

                   Advisory: Directory traversal in CitrusDB

RedTeam found a directory traversal vulnerability in CitrusDB which  
results
in inclusion of any accessible local .php file.

Details
=======

Product: CitrusDB
Affected Version: 0.3.6, probably <= 0.3.5, too
Immune Version: none (2005-02-03)
OS affected: all
Security-Risk: medium
Remote-Exploit: no
Vendor-URL: http://www.citrusdb.org
Vendor-Status: informed
Advisory-URL:  
http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005 
-005
Advisory-Status: public
CVE: CAN-2005-0411  
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0411#)

Introduction
============

Description from vendor: "CitrusDB is an open source customer database
application that uses PHP and a database backend (currently MySQL) to  
keep
track of customer information, services, products, billing, and customer
service information."

It is possible to include any local accessible .php file.

More Details
============

CitrusDB uses a wrapper script (./citrusdb/tools/index.php) to load  
different
modules and tools. The GET parameter "load"   specifies which file  
should be
included. With a relative path appended any .php file, that may be  
accessed
by the script, on the server may be included.

Proof of Concept
================

To include /tmp/exploit.php use:
http://<target>/citrusdb/tools/index.php?load=../../../../../../tmp/ 
exploit
Note: You need to be logged in to access this url.

Workaround
==========

n/a (2005-02-03)

Fix
===

n/a (2005-02-03)

Security Risk
=============

The security risk is rated medium. An attacker needs to be able to  
create a
.php file on the local filesystem which is normally a high barrier but  
in
shared hosting enviroments this may be easier.

History
=======

2005-02-04 Email sent to author
2005-02-12 CVE number requested
2005-02-14 posted as CAN-2005-0411

RedTeam
=======

RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find  
more
Information on the RedTeam Project at
http://tsyklon.informatik.rwth-aachen.de/redteam/

-- 
Maximillian Dornseif, Dipl. Jur., CISSP
Laboratory for Dependable Distributed Systems, RWTH Aachen University
Tel. +49 241 80-21431 - http://md.hudora.de/

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

rt-sa-2005-005.txt

rt-sa-2005-005.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

rt-sa-2005-005.txt

Share This

rt-sa-2005-005.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems