Double Choco Latte Remote Code Execution
Vendor: Michael Dean
Product: Double Choco Latte
Version: <= 0.9.4.3
Website: http://dcl.sourceforge.net/
BID: 12894
CVE: CVE-2005-0887 CVE-2005-0888
OSVDB: 14954 14955
SECUNIA: 14688
PACKETSTORM: 37088
Description:
Double Choco Latte is a GNU Enterprise package that provides basic project management capabilities, time tracking on tasks, call tracking, email notifications, online documents, statistical reports, a report engine, and more features are either working or being developed/planned. It can be displayed inside of a phpGroupWare installation or be used stand-alone. It is licensed under the GPL (GNU Public License), which means it is free to study, distribute, modify, and use. Double Choco Latte 0.9.4 .3 and earlier are prone to php code execution vulnerabilities which allows an attacker to run php code with privileges of the webserver.


Remote Code Execution:
Double Choco Latte is vulnerable to a remote code execution issue that is the result of unsafe eval() calls. Using this issue an attacker could execute arbitrary code on the webserver.

http://dcl/main.php?menuAction=htmlTickets.show;system(id);ob_start

The trailing ob_start is only there to prevent error messages. Let's have a look at one of the examples of what causes this vulnerability.
if (IsSet($menuAction) && $menuAction != 'clearScreen')
{
	if ($g_oSec->ValidateMenuAction() == true)
	{
		list($class, $method) = explode(".", $menuAction);
		$obj = CreateObject('dcl.' . $class);
		eval("\$obj->$method();");
	}
	else
	{
		commonHeader();
		PrintPermissionDenied();
	}
}
else
{
	commonHeader();
}

As we see from the above code, $class and $method are never sanatized and taken directly from the $menuAction variable. This is very unsafe as this data is then passed directly into eval(). After requesting a malicious url (for example, the one given above) the eval() becomes

eval("htmlTickets->show;system(id);ob_start();");

This issue has been resolved in all currently available versions and all users of DCL need to upgrade immediately.


Cross Site Scripting:
The fix for the code execution introduced a cross site scripting issue. Only people with version 0.9.4.3 need to worry about this issue.


Solution:
Michael Dean was very very quick to respond to, and handle these vulnerabilities, and the eval() issues seem to have been solved. All users should upgrade immediately.


Credits:
James Bercegay of the GulfTech Security Research Team