PT-2012-05: Multiple Vulnerabilities in Quercus

Vulnerable software

Quercus on Resin
Version 4.0.28 and earlier

Application link:
http://www.caucho.com/

Software description

Quercus on Resin is a Quercus implementation of PHP included in the Resin web server.

1. HTTP Parameter Contamination

Severity level: High
Impact: HTTP Parameter Contamination
Access Vector: Remote  

CVSS v2:
Base Score: 7.5
Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE: CVE-2012-2965

Vulnerability description

Some special characters in variables names are handled inappropriately, which may be leveraged by attackers. Additionally, attackers may intentionally cause error 500.

 

2. Variables Globalization and Overwriting

Severity level: High
Impact: Variables Globalization and Overwriting
Access Vector: Remote  

CVSS v2:
Base Score: 7.5
Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE: CVE-2012-2966

Vulnerability description

When parameters are transferred via POST, they globalize and the _SERVER array items may be overwritten.

 

3. Inappropriate Variable Comparison

Severity level: High
Impact: Inappropriate Variable Comparison
Access Vector: Remote  

CVSS v2:
Base Score: 7.5
Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE: CVE-2012-2967

Vulnerability description

Flexible comparison (using the == operator) various types of variables is implemented inappropriately.

 

4. Path Traversal

Severity level: Medium
Impact: Path Traversal
Access Vector: Remote  

CVSS v2:
Base Score: 5.0
Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVE: CVE-2012-2968

Vulnerability description

When downloading files, the ../ string may be inserted into filenames (via forging HTTP requests). Such insertion allows downloading files to arbitrary directories (i.e. to conduct Path Traversal).

 

5. Null Byte Injection

Severity level: Medium
Impact: Null Byte Injection
Access Vector: Remote  

CVSS v2:
Base Score: 6.4
Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:P)

CVE: CVE-2012-2969

Vulnerability description

When downloading files, null bytes may be inserted into filenames (via forging HTTP requests). As a result of the insertion, the string after the null byte will be dropped. The vulnerability allows attackers to bypass certain checks.

How to fix

Update your software up to the latest version

Advisory status

23.03.2012 - Vendor is notified
23.03.2012 - Vendor gets vulnerability details
19.04.2012 - Vulnerability details were sent to CERT
13.07.2012 - Vendor releases fixed version and details
31.08.2012 - Public disclosure

Credits

The vulnerabilities has discovered by Sergey Scherbel, Positive Research Center (Positive Technologies Company)

References

http://en.securitylab.ru/lab/PT-2012-05
http://www.kb.cert.org/vuls/id/309979

Reports on the vulnerabilities previously discovered by Positive Research:

http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/

Threatscape