Date: 10 January 2006
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2006.0001 -- AUSCERT ALERT
[Win][UNIX/Linux]
Multiple PHP web applications vulnerable through ADOdb library test scripts
10 January 2006
===========================================================================
AusCERT Alert Summary
---------------------
Product: ADOdb for PHP, versions 4.68 and prior
PostNuke 0.761 and prior
Mantis 1.0.0rc4 and prior
Moodle 1.5.3 and prior
Cacti 0.8.6g and prior
Other web applications using the ADOdb library
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
Member-only until: Tuesday, February 07 2006
OVERVIEW:
The ADOdb database interface library is used by many popular web
applications, as well as many web projects developed in-house.
By default, ADOdb versions 4.68 and prior install two vulnerable
scripts that can be accessed remotely: server.php and tests/tmssql.php.
Examples of web applications including this library that have been
confirmed vulnerable are:
Mantis 1.0.0rc4
PostNuke 0.761
Moodle 1.5.3
Cacti 0.8.6g
IMPACT:
tmssql.php allows a remote attacker to execute an arbitrary PHP
function.
Where the vulnerable web application uses MySQL, and the MySQL root
password is left blank, server.php also allows the execution of
arbitrary SQL code on the database, including creating arbitrary
PHP scripts within the web root.
AusCERT anticipates that attackers will use web search engines to
scan for vulnerable systems, allowing automated compromise of large
numbers of web servers.
MITIGATION:
For developers using ADOdb directly, version 4.70 has been released
fixing these vulnerabilities. [1]
PostNuke, Moodle and Cacti have also released separate updates fixing
the vulnerability in their own product distributions.
In all cases, removing the two vulnerable test scripts is also an
effective workaround.
In some cases, targeted organizations may not be aware that they
have a web server running the vulnerable software within their network.
AusCERT recommends that network administrators audit their networks
for web applications that use ADOdb, and either uninstall or update
them.
DETAILS:
Further detail is provided in Secunia Research advisory 2005-64. [2]
REFERENCES:
[1] ADOdb release announcement
http://phplens.com/lens/lensforum/msgs.php?id=14362
[2] Secunia Research Advisory 2005-64
http://secunia.com/secunia_research/2005-64/advisory/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQ8NFFCh9+71yA2DNAQLG5wQAkN5on6CuiIvsQaID18mudYbjpNgQEo4O
7ivBsR8VesRbVSPySllhkJ4G3SMnLQXYp+PfWSfhUyIAoP2yzqxVXFpDb8Li2/KY
eJTGErkl8CupItw9kvC/vE+RDKLn8xvhu4JAIjNA3Pe4erCVjeJ2o88xh1qWut6h
ErscjcP5ejw=
=2nWg
-----END PGP SIGNATURE-----
|