-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Happy Python Hackers Project www.hardened-php.net -= Security Advisory =- Advisory: Fileupload/download vulnerability in Trac Release Date: 2005/06/20 Last Modified: 2005/06/20 Author: Stefan Esser [sesser@hardened-php.net] Application: Trac <= 0.8.3 Severity: An input validation flaw within Trac allows download/upload of files and therefore can lead to remote code execution in some configurations Risk: Medium to High Vendor Status: Vendor has released an updated version References: http://www.hardened-php.net/advisory-012005.php Overview: Quote from http://www.edgewall.com "Trac is an enhanced wiki and issue tracking system for software development projects. Trac uses a minimalistic approach to web- based software project management. Our mission; to help developers write great software while staying out of the way. Trac should impose as little as possible on a team's established development process and policies. It provides an interface to Subversion, an integrated Wiki and convenient report facilities. Trac allows wiki markup in issue descriptions and commit messages, creating links and seamless references between bugs, tasks, changesets, files and wiki pages. A timeline shows all project events in order, making getting an overview of the project and tracking progress very easy." During the evaluation of Trac an input validation vulnerability was discovered which can lead to arbitrary up- and downloading of files with the permission of the web server. Under some circumstances this can lead remote code execution, depending on the configuration of the webserver and the permissions on the directories within the document root. Details: Trac's wiki and ticket systems allows to add attachments to wiki entries and bug tracker tickets. These attachments are stored within directories that are determined by the id of the corresponding ticket or wiki entry. Due to a missing validation of the id parameter it is possible for an attacker to supply arbitrary paths to the upload and attachment viewer scripts. This means that a potential attacker can retrieve any file accessible by the webserver user. Additionally it is possible to upload arbitrary files (up to a configured file length) to any place the webserver has write access too. For obvious reasons this can lead to the execution of arbitrary code if it possible to upload files to the document root or it's subdirectories. One example of a configuration would be f.e. running Trac and s9y/wordpress with writeable content directories on the same webserver. Another potential usage of this exploit would be to abuse Trac powered webservers as storage for f.e. torrent files. Proof of Concept: The Hard^H^H^H Happy Python Hackers Project is not going to release an exploit for this vulnerability to the public. Disclosure Timeline: 16. June 2005 - Contacted edgewall via email 19. June 2005 - Vendor released bugfixed version 20. June 2005 - Public disclosure Recommendation: We strongly recommend to upgrade to the vendor supplied new version Trac 0.8.4 http://ftp.edgewall.com/pub/trac/trac-0.8.4.tar.gz GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2005 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFCtfT7RDkUzAqGSqERAty0AKC8fRDxP8emed7m4Cm6IdnXJRwm/gCfT9u8 AcCaR+tH9495KAZMK8a9n1k= =w7nq -----END PGP SIGNATURE-----