MA-331.092012 : MyCERT Alert - MyMeeting File Upload PHP Code Execution
Notify vendor: 2012-09-11
MyMeeting is a web application specifically designed to help users to better manage their meetings and get more out of them. It is developed by the Open Source Competency Center (OSCC) in Malaysia.  MyMeeting is widely used in Malaysia especially in government organizations and universities.
MyMeeting contains a flaw that allows a remote authenticated user to execute arbitrary PHP code. This flaw exists because the application does not properly verify or sanitize user-uploaded document.
MyMesyarat , the forked version of MyMeeting, also appear to be vulnerable to this vulnerability.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2012-3572 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
By exploiting this vulnerability, it allows a remote authenticated user to execute arbitrary code on the computer running MyMeeting or MyMesyuarat with the privilege of Apache process.
3.0 Affected Products
- MyMeeting v3.0.1 and earlier versions
- MyMesyuarat v09b-1
MyCERT has been informed by MyMesyuarat’s developer that the issue has been resolved in the latest release of MyMesyuarat. As of the writing of this advisory, there is no patch released for MyMeeting yet. Users of MyMeeting could follow the instructions in Recommendation part as for the workaround.
MyMeeting users can disable the PHP support in the "upload" folder so that the uploaded PHP file cannot be executed. PHP can be disabled in specific folder by using ".htaccess" file and the content can be as below:
RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
php_flag engine off
6.0 Revision History
2012.06.15.1 Initial release of advisory for vendor
2012.06.15.2 MyMesyarat added into the vulnerable list
2012.06.18.1 CVE added
2012.06.28.1 Vendor response
2012.09.11.1 Initial release of advisory for public
E-mail : email@example.com or firstname.lastname@example.org
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT