Advisory ID : FrSIRT/ADV-2006-1996
CVE ID : GENERIC-MAP-NOMATCH
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-05-26
Multiple vulnerabilities have been identified in Basic Analysis and Security Engine (BASE), which could be exploited by attackers to execute arbitrary commands. These flaws are due to input validation errors in the "base_qry_common.php", "base_stat_common.php", and "includes/base_include.inc.php" scripts that do not validate the "BASE_path" parameter, which could be exploited by remote attackers to include malicious scripts and execute arbitrary commands with the privileges of the web server.
Basic Analysis and Security Engine (BASE) 1.2.4 and prior
Does anyone have more information on this as no one has contacted us?
This can be easily mitigated by requiring a login before being allowed to access Base at all. We use apache's ldap auth feature to do that. (I would hope that no one has Base sitting on an internet-accessible IP address anyway, since you don't want to expose your knowledge of intrusion attempts to the world.) You can further mitigate it by restricting access to the machine entirely to one subnet, using the builtin firewalls that most OSes have these days.
As to the vulnerability itself, I'm not knowledgeable enough of the code to understand how it can be exploited. What does "$BASE_path = dirname(__FILE__);" accomplish (in the conf file)?
It can also be mitigated by not turning on register_globals. This value hasn't been the defualt since sometime in 2002.
As to the dirname function, it returns the path from where base_conf.php is located.