Double Choco Latte multiple vulnerabilities PROGRAM: Double Choco Latte VENDOR: Michael Dean GNU Enterprise HOMEPAGE: http://dcl.sourceforge.net/index.php VULNERABLE VERSIONS: 20020215, possibly others NOT VULNERABLE VERSIONS: 20020706 LOGIN REQUIRED: yes SEVERITY: high DESCRIPTION: "Double Choco Latte is a package that provides basic project management capabilities, time tracking on tasks, call tracking, email notifications, online documents, statistical reports, a report engine, and more features are either working or being developed/planned. It is licensed under the GPL (GNU Public License), which means it is free to study, distribute, modify, and use." (direct quote from the program's homepage) SECURITY HOLES: 1) Both in Projects: Upload File Attachment and in Work Orders: Import, the program allows file uploads to occur, without checking if the four global variables with information about an upload (foo, foo_name, foo_size and foo_type) really were set by uploading a file or if they were normal POST data. This means that the upload functions can be fooled into treating any file that the web server can read (like /etc/passwd) as if it is the uploaded file. You fix this by using PHP's is_uploaded_file() function, which checks if a real upload has taken place. 2) When downloading files in Projects: Attachments, Double Choco Latte doesn't check if the path contains any ".." strings. This makes it possible for an attacker to download any file that the web server can read. He or she can download /etc/passwd by asking for "../../../../../../../etc/passwd". 3) Double Choco Latte has got lots of XSS (Cross-Site Scripting) issues, as the program displays user-supplied data without removing HTML tags. This occurs in Ticket# Find, Priorities, Severities, Projects, WO# Find, Departments and Users. You fix this with the htmlspecialchars() function. COMMUNICATION WITH VENDOR: The vendor was contacted on the 26th and 30th of May, and on the 26th of June. They released version 20020706, which does not have any of these security holes, on the 5th of July. RECOMMENDATION: I recommend that all administrators upgrade to version 20020706. // Ulf Harnhammar ulfh@update.uu.se