[Phpwebsite-developers] Possible security vulnerability in phpwebsite 0.9.3-2

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello,

(I am not on the list, please put me in CC when replying to the list)

There is a problem in phpwebsite's configuration that can allow 
anonymous users to upload PHP files and execute them if the web server 
is configured to allow PUT HTTP method.

The directories /files, /file/phatfile and /files/phatform have the 
following permissions:

drwxrwsr-x   4 apache  apache   512 May  5 18:10 files
drwxrwsr-x  2 apache  apache  512 May  5 18:18 phatfile
drwxrwsr-x  4 apache  apache  512 May  4 14:38 phatform

They are writable for apache user to make possible file uploads through 
Document Manager. Document Manager does not allow uploading of PHP 
files. However if the web server is configured to allow PUT method 
(Apache with WebDAV or Microsoft IIS) it is possible to upload files to 
these directories directly, using a PUT request:

PUT /files/evilfile.php HTTP/1.1
Host: someone.running.phpwebsite

This gives an attacker the ability to run arbitrary commands on the 
server with the privileges of Apapche.

Uploading can be done using curl utility:

curl -T  evilfile.php http://someone.running.phpwebsite/files/evilfile.php

By default Apache does not allow PUT method. Microsoft IIS does allow 
PUT method by default (unless WebDAV is explicitely disabled). I believe 
that some Linux distributions ship Apache with WebDAV enabled, in that 
case it may allow PUT as well.

I think it should be fixed like this. "files" directory should be kept 
outside phpwebsite web accessible directory, so that it can't be 
accessed directly through the web server. All the files in the directory 
should be only fetched by Document Manager. I believe there is already 
functionality for fetching files, because it is possible to download a 
file using a URL like this:

index.php?module=phatfile&PHPWS_MAN_ITEMS[]=1&FILE_MAN_OP=Download&submit=Go

I believe it is quite important to move "files" directory outside web 
root. It will also solve a problem with people uploading a type of file 
that phpwebsite does not know about, but the web server does and 
executes it.

Please feel free to contact me if there is anything I can do to help 
fixing this. I can't provide a patch, sorry for that.

Alla.