PT-2012-05: Multiple Vulnerabilities in Quercus

(PT-2012-05) Positive Technologies Security Advisory
Multiple vulnerabilities in Quercus

Vulnerable software

Quercus on Resin
Version 4.0.28 and earlier

Application link:
http://www.caucho.com/

Software description

Quercus on Resin is a Quercus implementation of PHP included in the Resin web server.

1. HTTP Parameter Contamination

Severity level: High
Impact: HTTP Parameter Contamination
Access Vector: Remote  

CVSS v2:
Base Score: 7.5
Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE: CVE-2012-2965

Vulnerability description

Some special characters in variables names are handled inappropriately, which may be leveraged by attackers. Additionally, attackers may intentionally cause error 500.

 

2. Variables Globalization and Overwriting

Severity level: High
Impact: Variables Globalization and Overwriting
Access Vector: Remote  

CVSS v2:
Base Score: 7.5
Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE: CVE-2012-2966

Vulnerability description

When parameters are transferred via POST, they globalize and the _SERVER array items may be overwritten.

 

3. Inappropriate Variable Comparison

Severity level: High
Impact: Inappropriate Variable Comparison
Access Vector: Remote  

CVSS v2:
Base Score: 7.5
Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE: CVE-2012-2967

Vulnerability description

Flexible comparison (using the == operator) various types of variables is implemented inappropriately.

 

4. Path Traversal

Severity level: Medium
Impact: Path Traversal
Access Vector: Remote  

CVSS v2:
Base Score: 5.0
Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVE: CVE-2012-2968

Vulnerability description

When downloading files, the ../ string may be inserted into filenames (via forging HTTP requests). Such insertion allows downloading files to arbitrary directories (i.e. to conduct Path Traversal).

 

5. Null Byte Injection

Severity level: Medium
Impact: Null Byte Injection
Access Vector: Remote  

CVSS v2:
Base Score: 6.4
Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:P)

CVE: CVE-2012-2969

Vulnerability description

When downloading files, null bytes may be inserted into filenames (via forging HTTP requests). As a result of the insertion, the string after the null byte will be dropped. The vulnerability allows attackers to bypass certain checks.

How to fix

Update your software up to the latest version

Advisory status

23.03.2012 - Vendor is notified
23.03.2012 - Vendor gets vulnerability details
19.04.2012 - Vulnerability details were sent to CERT
13.07.2012 - Vendor releases fixed version and details
31.08.2012 - Public disclosure

Credits

The vulnerabilities has discovered by Sergey Scherbel, Positive Research Center (Positive Technologies Company)

References

http://en.securitylab.ru/lab/PT-2012-05
http://www.kb.cert.org/vuls/id/309979

Reports on the vulnerabilities previously discovered by Positive Research:

http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/

About Positive Technologies

Positive Technologies www.ptsecurity.com is among the key players in the IT security market in Russia.

The principal activities of the company include the development of integrated tools for information security monitoring (MaxPatrol); providing IT security consulting services and technical support; development of the Securitylab leading Russian information security portal.

Among the clients of Positive Technologies, there are more than 40 state enterprises, more than 50 banks and financial organizations, 20 telecommunication companies, more than 40 plant facilities, as well as IT, service and retail companies from Russia, the CIS countries, the Baltic States, China, Ecuador, Germany, Great Britain, Holland, Iran, Israel, Japan, Mexico, the Republic of South Africa, Thailand, Turkey, and the USA.

Positive Technologies is a team of highly skilled developers, advisers and experts with years of vast hands-on experience. The company specialists possess professional titles and certificates; they are the members of various international societies and are actively involved in the IT security field development.