Security ALERT for 1.2.4

ai-danno
2006-05-26
2013-06-03
  • ai-danno
    ai-danno
    2006-05-26

    Advisory ID : FrSIRT/ADV-2006-1996
    CVE ID : GENERIC-MAP-NOMATCH
    Rated as : High Risk
    Remotely Exploitable : Yes
    Locally Exploitable : Yes
    Release Date : 2006-05-26

    Technical Description

    Multiple vulnerabilities have been identified in Basic Analysis and Security Engine (BASE), which could be exploited by attackers to execute arbitrary commands. These flaws are due to input validation errors in the "base_qry_common.php", "base_stat_common.php", and "includes/base_include.inc.php" scripts that do not validate the "BASE_path" parameter, which could be exploited by remote attackers to include malicious scripts and execute arbitrary commands with the privileges of the web server.

    Affected Products

    Basic Analysis and Security Engine (BASE) 1.2.4 and prior

     
    • Kevin Johnson
      Kevin Johnson
      2006-05-26

      Does anyone have more information on this as no one has contacted us?

      Kevin

       
    • Paul Schmehl
      Paul Schmehl
      2006-05-26

      This can be easily mitigated by requiring a login before being allowed to access Base at all.  We use apache's ldap auth feature to do that.  (I would hope that no one has Base sitting on an internet-accessible IP address anyway, since you don't want to expose your knowledge of intrusion attempts to the world.) You can further mitigate it by restricting access to the machine entirely to one subnet, using the builtin firewalls that most OSes have these days.

      As to the vulnerability itself, I'm not knowledgeable enough of the code to understand how it can be exploited.  What does "$BASE_path = dirname(__FILE__);" accomplish (in the conf file)?

       
      • Kevin Johnson
        Kevin Johnson
        2006-05-29

        It can also be mitigated by not turning on register_globals.  This value hasn't been the defualt since sometime in 2002.

        As to the dirname function, it returns the path from where base_conf.php is located.

        Kevin