-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-


     Advisory: PHProjekt (Remote) Include Vulnerabilities
 Release Date: 2006/09/29
Last Modified: 2006/09/29
       Author: Stefan Esser [sesser@hardened-php.net]

  Application: PHProjekt 5.1.1
     Severity: An unverified path may allow an attacker to inject 
               and execute arbitrary PHP code
         Risk: Critical
Vendor Status: Vendor has a released an updated version
   References: http://www.hardened-php.net/advisory_062006.129.html


Overview:

   Quote from http://www.phprojekt.com
   "PHProjekt is a modular application for the coordination of group 
   activities and to share informations and document via intranet and 
   internet. Components of PHProjekt: Group calendar, project 
   management, time card system, file management, contact manager, 
   mail client and 9 other modules ...(feature list).
   PHProjekt supports many protocols like ldap, soap and webdav and is 
   available for 36 languages and 7 databases."
   
   While searching for applications that are vulnerable to a new class 
   of vulnerabilities inside PHP applications we took a quick look 
   into the current PHProjekt source code and discovered that a (remote)
   include vulnerability had been (re)introduced.
   
   By overwriting a variable with user input it is possible to inject
   and execute arbitrary PHP code. Overwriting this variable is possible
   regardless of the register_globals setting.
   
   It is recommended to install our Suhosin (http://www.suhosin.org)
   PHP extension, because it is the only solution that stops 100% of
   all URL includes. Please note that allow_url_fopen is NOT a 100%
   protection because it does NOT stop all URL types.

Details:

   PHProjekt includes several files from different paths. In earlier
   versions it was possible to overwrite the base path variable 
   $path_pre from the outside and use it to include arbitrary files
   or URLs. This vulnerability had been fixed by checking the content
   of $path_pre and bailing out of the PHP script in case of an
   attack.
   
   Unfortunately the code within PHProjekt was moved around, which
   resulted in $lib_path and $lang_path beeing filles before the 
   request variables are extracted into the global namespace by the
   PHP script. (This globalisation is done by the code of PHProjekt
   and has nothing todo with PHP's register_globals feature).
   
   Because of this construction it is possible to include arbitrary
   PHP files by filling $lib_path or $lang_path through f.e. the URL.
   
   This vulnerability was now fixed by modifying all include paths
   to use constants instead of variables, because constants cannot
   be overwritten once they are set.
   

Proof of Concept:

   The Hardened-PHP Project is not going to release exploits for
   this vulnerability to the public.


Disclosure Timeline:

   21. September 2006 - Contacted PHProjekt developers by email
   28. September 2006 - Updated PHProjekt was released
   29. September 2006 - Public Disclosure


Recommendation:

   It is strongly recommended to upgrade to the newest version of
   PHProejekt 5.1.2 which you can download at:

   http://www.phprojekt.com/download/phprojekt.tar.gz
   
   As usual we very stronlgy recommend to install our Suhosin PHP 
   extension, because it is the only solution that stops all
   PHP remote URL includes. The often advertised allow_url_fopen
   configuration directive does NOT protect against 'php://input'
   or 'data:' URL types. Suhosin additionally can stop several 
   directory traversal attacks that try to include local files.

   Grab your copy and more information at:
   
   http://www.hardened-php.net/suhosin/index.html
   

GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFHQmFRDkUzAqGSqERAsoTAJ4gmFLTcReHvo6EvtxlZXHI41tPDgCg1ppS
7THEd6ldw69+Hx9dO9zkcew=
=NXXs
-----END PGP SIGNATURE-----