what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

advisory-012005.txt

advisory-012005.txt
Posted Jun 21, 2005
Authored by Stefan Esser | Site hardened-php.net

During an evaluation of Trac, an input validation vulnerability was discovered which can lead to arbitrary uploading and downloading of files with the permission of the web server.

tags | advisory, web, arbitrary
SHA-256 | f3d29acb6264e7e52acb1152dda2f9156a367be10f0e8013ba0df3ffb4203fd1

advisory-012005.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Happy Python Hackers Project
www.hardened-php.net

-= Security Advisory =-



Advisory: Fileupload/download vulnerability in Trac
Release Date: 2005/06/20
Last Modified: 2005/06/20
Author: Stefan Esser [sesser@hardened-php.net]

Application: Trac <= 0.8.3
Severity: An input validation flaw within Trac allows
download/upload of files and therefore can lead to
remote code execution in some configurations
Risk: Medium to High
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory-012005.php


Overview:

Quote from http://www.edgewall.com
"Trac is an enhanced wiki and issue tracking system for software
development projects. Trac uses a minimalistic approach to web-
based software project management. Our mission; to help developers
write great software while staying out of the way. Trac should
impose as little as possible on a team's established development
process and policies.

It provides an interface to Subversion, an integrated Wiki and
convenient report facilities.

Trac allows wiki markup in issue descriptions and commit messages,
creating links and seamless references between bugs, tasks,
changesets, files and wiki pages. A timeline shows all project
events in order, making getting an overview of the project and
tracking progress very easy."

During the evaluation of Trac an input validation vulnerability
was discovered which can lead to arbitrary up- and downloading
of files with the permission of the web server. Under some
circumstances this can lead remote code execution, depending
on the configuration of the webserver and the permissions on
the directories within the document root.


Details:

Trac's wiki and ticket systems allows to add attachments to
wiki entries and bug tracker tickets. These attachments are
stored within directories that are determined by the id of
the corresponding ticket or wiki entry.

Due to a missing validation of the id parameter it is possible
for an attacker to supply arbitrary paths to the upload and
attachment viewer scripts. This means that a potential attacker
can retrieve any file accessible by the webserver user.

Additionally it is possible to upload arbitrary files (up to
a configured file length) to any place the webserver has write
access too.

For obvious reasons this can lead to the execution of arbitrary
code if it possible to upload files to the document root or
it's subdirectories. One example of a configuration would be f.e.
running Trac and s9y/wordpress with writeable content directories
on the same webserver.

Another potential usage of this exploit would be to abuse Trac
powered webservers as storage for f.e. torrent files.


Proof of Concept:

The Hard^H^H^H Happy Python Hackers Project is not going
to release an exploit for this vulnerability to the public.


Disclosure Timeline:

16. June 2005 - Contacted edgewall via email
19. June 2005 - Vendor released bugfixed version
20. June 2005 - Public disclosure


Recommendation:

We strongly recommend to upgrade to the vendor supplied
new version

Trac 0.8.4
http://ftp.edgewall.com/pub/trac/trac-0.8.4.tar.gz


GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFCtfT7RDkUzAqGSqERAty0AKC8fRDxP8emed7m4Cm6IdnXJRwm/gCfT9u8
AcCaR+tH9495KAZMK8a9n1k=
=w7nq
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close