title: Local file inclusion/execution and multiple
Cross-Site-Request-Forgery vulnerabilities in
LetoDMS (formerly MyDMS)
products: LetoDMS (formerly MyDMS)
MyDMS is an open-source, web-based document management system (DMS)
written in PHP with a database backend. Originally coded by Markus
Westphal, MyDMS provides document meta-data, version control, security
and easy access to your documents.
source: http://sourceforge.net/projects/mydms/
The lang-parameter of /mydms/op/op.Login.php is vulnerable to file
inclusion. Through this vulnerability it is possible to read sensitive
data of the web server and to execute malicious PHP-code.
Furthermore there exist multiple Cross-Site-Request-Forgery
vulnerabilities which can be used to force a user/admin to execute
unwanted actions. Some of these actions are:
If the guest-account is activated or you have a user to log in, it is
possible to include or execute files. The lang-parameter can be
modified in a malicious way. To terminate the predefined file-ending a
null-byte has to be appended after the file to be included. The
following GET-request can be used to e.g. receive the content of the
boot.ini-file on a server running Windows as operating system. This
vulnerability can also be used to execute malicious PHP-code (e.g.
PHP-code that has been written into log-files).
PoC request
GET /mydms/op/op.Login.php?login=guest&sesstheme=&lang=…/…/…/…/
boot.ini%00&sesstheme= HTTP/1.1
[…]
The following requests can be used for CSRF-attacks:
It is assumed that there is more functionality vulnerable to
CSRF-attacks
MyDMS
2009-10-29: Contacting developers on SourceForge.Net and on
trilexnet.com by contact-form and the dev-forum.
2009-12-11: No response from developers so far.
2009-12-11: New attempt to contact developers.
2010-01-15: No response from developers.
2010-01-15: Release of the advisory.
n.a.
https://www.sec-consult.com/advisories.html#a64
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com
SEC Consult conducts periodical information security workshops on ISO
27001/BS 7799 in cooperation with BSI Management Systems. For more
information, please refer to https://www.sec-consult.com/academy_e.html
EOF L. Weichselbaum / @2010