Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Double Choco Latte multiple vulnerabilities
From: full-disclosure () lists netsys com (Ulf Harnhammar)
Date: Sun, 14 Jul 2002 22:48:23 +0200 (CEST)

Double Choco Latte multiple vulnerabilities


PROGRAM: Double Choco Latte
VENDOR: Michael Dean <mdean () users sourceforge net>
        GNU Enterprise <info () gnue org>
HOMEPAGE: http://dcl.sourceforge.net/index.php
VULNERABLE VERSIONS: 20020215, possibly others
NOT VULNERABLE VERSIONS: 20020706
LOGIN REQUIRED: yes
SEVERITY: high


DESCRIPTION:

"Double Choco Latte is a package that provides basic project
management capabilities, time tracking on tasks, call tracking,
email notifications, online documents, statistical reports,
a report engine, and more features are either working or being
developed/planned. It is licensed under the GPL (GNU Public License),
which means it is free to study, distribute, modify, and use."

(direct quote from the program's homepage)


SECURITY HOLES:

1) Both in Projects: Upload File Attachment and in Work Orders:
Import, the program allows file uploads to occur, without checking
if the four global variables with information about an upload (foo,
foo_name, foo_size and foo_type) really were set by uploading a
file or if they were normal POST data. This means that the upload
functions can be fooled into treating any file that the web server
can read (like /etc/passwd) as if it is the uploaded file.

You fix this by using PHP's is_uploaded_file() function, which
checks if a real upload has taken place.

2) When downloading files in Projects: Attachments, Double Choco
Latte doesn't check if the path contains any ".." strings. This
makes it possible for an attacker to download any file that the web
server can read. He or she can download /etc/passwd by asking for
"../../../../../../../etc/passwd".

3) Double Choco Latte has got lots of XSS (Cross-Site Scripting)
issues, as the program displays user-supplied data without removing
HTML tags. This occurs in Ticket# Find, Priorities, Severities,
Projects, WO# Find, Departments and Users.

You fix this with the htmlspecialchars() function.


COMMUNICATION WITH VENDOR:

The vendor was contacted on the 26th and 30th of May, and on the
26th of June. They released version 20020706, which does not have
any of these security holes, on the 5th of July.


RECOMMENDATION:

I recommend that all administrators upgrade to version 20020706.


// Ulf Harnhammar
ulfh () update uu se



  By Date           By Thread  

Current thread:
  • Double Choco Latte multiple vulnerabilities Ulf Harnhammar (Jul 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault