Saturday July 31, 2010
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 XMB Forums Multiple Vulnerabilities
  3 Multiple Invision Power Board Vulnerabilities
  4 Mambo Multiple Vulnerabilities
  5 MySQL Eventum Multiple Vulnerabilities
  6 Gallery 2 Multiple Vulnerabilities
  7 Geeklog Remote Code Execution
  8 RunCMS Multiple Vulnerabilities
  9 Kayako LiveResponse Multiple Vulnerabilities
10 phpRPC Library Remote Code Execution
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Research Services About Contact
Double Choco Latte Vulnerabilities
April 8, 2005
Vendor : Michael Dean
URL : http://dcl.sourceforge.net/
Version : Double Choco Latte 0.9.4 .3 && Earlier
Risk : Multiple Vulnerabilities
BID : http://www.securityfocus.com/bid/12894


Description:
Double Choco Latte is a GNU Enterprise package that provides basic project management capabilities, time tracking on tasks, call tracking, email notifications, online documents, statistical reports, a report engine, and more features are either working or being developed/planned. It can be displayed inside of a phpGroupWare installation or be used stand-alone. It is licensed under the GPL (GNU Public License), which means it is free to study, distribute, modify, and use. Double Choco Latte 0.9.4 .3 and earlier are prone to php code execution vulnerabilities which allows an attacker to run php code with privileges of the webserver.


Remote Code Execution:
Double Choco Latte is vulnerable to a remote code execution issue that is the result of unsafe eval() calls. Using this issue an attacker could execute arbitrary code on the webserver.

http://dcl/main.php?menuAction=htmlTickets.show;system(id);ob_start

The trailing ob_start is only there to prevent error messages. Let's have a look at one of the examples of what causes this vulnerability. 
if (IsSet($menuAction) && $menuAction != 'clearScreen')
{
	if ($g_oSec->ValidateMenuAction() == true)
	{
		list($class, $method) = explode(".", $menuAction);
		$obj = CreateObject('dcl.' . $class);
		eval("\$obj->$method();");
	}
	else
	{
		commonHeader();
		PrintPermissionDenied();
	}
}
else
{
	commonHeader();
}

As we see from the above code, $class and $method are never sanatized and taken directly from the $menuAction variable. This is very unsafe as this data is then passed directly into eval(). After requesting a malicious url (for example, the one given above) the eval() becomes

eval("htmlTickets->show;system(id);ob_start();");

This issue has been resolved in all currently available versions and all users of DCL need to upgrade immediately.


Cross Site Scripting:
The fix for the code execution introduced a cross site scripting issue. Only people with version 0.9.4.3 need to worry about this issue.


Solution:
Michael Dean was very very quick to respond to, and handle these vulnerabilities, and the eval() issues seem to have been solved. All users should upgrade immediately.


Credits:
James Bercegay of the GulfTech Security Research Team


Terms of Use | Disclaimer
Copyright 2010 GulfTech Research And Development, LLC. All Rights Reserved