Advisory 01/2005 - Fileupload/download vulnerability in Trac




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Happy Python Hackers Project
www.hardened-php.net

-= Security Advisory =-



Advisory: Fileupload/download vulnerability in Trac
Release Date: 2005/06/20
Last Modified: 2005/06/20
Author: Stefan Esser [sesser@hardened-php.net]

Application: Trac <= 0.8.3
Severity: An input validation flaw within Trac allows
download/upload of files and therefore can lead to
remote code execution in some configurations
Risk: Medium to High
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory-012005.php


Overview:

Quote from http://www.edgewall.com
"Trac is an enhanced wiki and issue tracking system for software
development projects. Trac uses a minimalistic approach to web-
based software project management. Our mission; to help developers
write great software while staying out of the way. Trac should
impose as little as possible on a team's established development
process and policies.

It provides an interface to Subversion, an integrated Wiki and
convenient report facilities.

Trac allows wiki markup in issue descriptions and commit messages,
creating links and seamless references between bugs, tasks,
changesets, files and wiki pages. A timeline shows all project
events in order, making getting an overview of the project and
tracking progress very easy."

During the evaluation of Trac an input validation vulnerability
was discovered which can lead to arbitrary up- and downloading
of files with the permission of the web server. Under some
circumstances this can lead remote code execution, depending
on the configuration of the webserver and the permissions on
the directories within the document root.


Details:

Trac's wiki and ticket systems allows to add attachments to
wiki entries and bug tracker tickets. These attachments are
stored within directories that are determined by the id of
the corresponding ticket or wiki entry.

Due to a missing validation of the id parameter it is possible
for an attacker to supply arbitrary paths to the upload and
attachment viewer scripts. This means that a potential attacker
can retrieve any file accessible by the webserver user.

Additionally it is possible to upload arbitrary files (up to
a configured file length) to any place the webserver has write
access too.

For obvious reasons this can lead to the execution of arbitrary
code if it possible to upload files to the document root or
it's subdirectories. One example of a configuration would be f.e.
running Trac and s9y/wordpress with writeable content directories
on the same webserver.

Another potential usage of this exploit would be to abuse Trac
powered webservers as storage for f.e. torrent files.


Proof of Concept:

The Hard^H^H^H Happy Python Hackers Project is not going
to release an exploit for this vulnerability to the public.


Disclosure Timeline:

16. June 2005 - Contacted edgewall via email
19. June 2005 - Vendor released bugfixed version
20. June 2005 - Public disclosure


Recommendation:

We strongly recommend to upgrade to the vendor supplied
new version

Trac 0.8.4
http://ftp.edgewall.com/pub/trac/trac-0.8.4.tar.gz


GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFCtfT7RDkUzAqGSqERAty0AKC8fRDxP8emed7m4Cm6IdnXJRwm/gCfT9u8
AcCaR+tH9495KAZMK8a9n1k=
=w7nq
-----END PGP SIGNATURE-----

© Hardened PHP Project