The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Trac Fileupload/download Vulnerability
------------------------------------------------------------------------
SUMMARY
" <http://www.edgewall.com> Trac is an enhanced Wiki and issue tracking
system for software development projects. Trac uses a minimalistic
approach to web-based software project management. Our mission; to help
developers write great software while staying out of the way. Trac should
impose as little as possible on a team's established development process
and policies.
It provides an interface to Subversion, an integrated Wiki and convenient
report facilities.
Trac allows wiki markup in issue descriptions and commit messages,
creating links and seamless references between bugs, tasks, changesets,
files and Wiki pages. A timeline shows all project events in order, making
getting an overview of the project and tracking progress very easy."
During the evaluation of Trac an input validation vulnerability was
discovered which can lead to arbitrary up- and downloading of files with
the permission of the web server. Under some circumstances this can lead
remote code execution, depending on the configuration of the web server
and the permissions on the directories within the document root.
DETAILS
Vulnerable Systems:
* Trac version 0.8.3 and prior
Immune Systems:
* Trac version 0.8.4
Trac's wiki and ticket systems allows to add attachments to wiki entries
and bug tracker tickets. These attachments are stored within directories
that are determined by the id of the corresponding ticket or wiki entry.
Due to a missing validation of the id parameter it is possible for an
attacker to supply arbitrary paths to the upload and attachment viewer
scripts. This means that a potential attacker can retrieve any file
accessible by the web server user.
Additionally it is possible to upload arbitrary files (up to a configured
file length) to any place the webserver has write access too.
For obvious reasons this can lead to the execution of arbitrary code if it
possible to upload files to the document root or it's subdirectories. One
example of a configuration would be f.e. running Trac and s9y/wordpress
with write-able content directories on the same web server.
Another potential usage of this exploit would be to abuse Trac powered web
servers as storage for f.e. torrent files.
Disclosure Timeline:
16. June 2005 - Contacted edgewall via email
19. June 2005 - Vendor released bug fixed version
20. June 2005 - Public disclosure
Recommendation:
We strongly recommend to upgrade to the vendor supplied new version Trac
0.8.4 <http://ftp.edgewall.com/pub/trac/trac-0.8.4.tar.gz>
http://ftp.edgewall.com/pub/trac/trac-0.8.4.tar.gz
ADDITIONAL INFORMATION
The information has been provided by <mailto:sesser@hardened-php.net>
Stefan Esser.
The original article can be found at:
<http://www.hardened-php.net/advisory-012005.php>
http://www.hardened-php.net/advisory-012005.php
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
