Home Download News FAQ / Knowledge Base Screenshots Documentation Support Site map
philosophical imaginary

Citadel.org security advisory - 2009-march-23

I. BACKGROUND

WebCit is a middleware application which provides a web based user interface for the Citadel groupware system. More information may be found at the project's site at the following URL:

http://www.citadel.org

II. DESCRIPTION AND ANALYSIS

WebCit uses a weak encoding for remote provided data to build up a local string. Exploitation of a format string vulnerability could allow a remote attacker to perform an unauthorized privilege escalation.

III. DETECTION

Citadel.org has confirmed the existence of this vulnerability in version 7.22 of WebCit. Other components of the Citadel system are not affected.

IV. WORKAROUND

If you are unable to upgrade your system to a non-vulnerable version of WebCit at this time, you may also choose to block access to the following URL's using your site's existing edge security tools:

/mini_calendar

/webcit/mini_calendar

This will prohibit remote exploit of this vulnerability, at the expense of reduced functionality of the program.

V. VENDOR RESPONSE

Citadel.org has confirmed that this vulnerability has been fixed.

If you are using source code downloads, please upgrade to version 7.39 (or later).

If you are using the Easy Install system or the VMware appliance, please run a normal update in order to receive the patch.

If you are using Debian or Ubuntu packages, please upgrade to version 7.38-37 (or later).

Please be advised that you may also be required to upgrade the Citadel server in order to maintain compatibility with a new version of WebCit.

VI. DISCLOSURE TIMELINE

2009-02-13 - discovery of vulnerability

2009-02-13 - fix implemented

2009-03-23 - coordinated public disclosure

VII. CREDIT

This vulnerability was discovered internally by Wilfried Goesgens dothebart@uncensored.citadel.org and patched prior to disclosure.

VIII. LEGAL NOTICES

Copyright © Citadel.org

Permission is granted for unlimited redistribution of this alert. The information in this advisory is believed to be accurate at the time of publishing based on currently available information, and is provided “as is” with no warranties as to its accuracy or applicability. The publisher does not accept liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Copyright © 1987-2014 Uncensored Communications Group. All rights reserved.     Login (site admin)