Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Forrest J. Cavalier III (mibsoftMIBSOFTWARE.COM)
Date: Fri Jan 26 2001 - 13:30:25 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    In all versions of NewsDaemon prior to 0.21b (released 25 Jan 2001),
    it is possible to spoof a global variable in an HTTP request and
    obtain administrator access remotely.

    NewsDaemon is the PHP-based Web Log software that runs
    http://daily.daemonnews.org/ a popular news and discussion
    site for the BSD communities.

    The NewsDaemon software is freely available at

    PHP is a freely available server-side scripting language
    from http://www.php.net/

    It is common practice to configure PHP with register_globals
    set on. Depending on the setting of gpc_order, this makes
    all GET, POST, ENV, and COOKIE values available as global

    This behavior can be quite useful, but requires care to
    ensure that all global variables are assigned from trusted
    input and aren't "spoofed" by GET or POST values.

    When a global value can be spoofed, it can often be used
    to change the operation of the script and or SQL queries
    which do not properly escape single quotes.

    In the case of NewsDaemon, the global variable $user_username
    is used to check the administrator level using a mysql
    query (edited for clarity.)

      SELECT admin_level FROM access, users WHERE
             users.username = '$user_username' AND users.id=access.user_id

    It was possible to spoof $user_username with single quotes
    embedded, changing the operation of the SQL statement:

      SELECT admin_level FROM access, users WHERE
             users.username = ''
             OR admin_level=2 OR username ='x' AND users.id=access.user_id";

    This gains administrator privileges, allowing viewing of the
    user list, assigning privileges, approving stories, etc.

    NewsDaemon 0.21b is released with changes to allow operation
    with PHP register_globals set to Off. In PHP 4 (and in PHP3 when
    track_vars is on) all GET and POST values are now obtained
    from associative arrays.

    More information on PHP configuration is at:

    If you are unable to set register_globals off, (or are running PHP3)
    you must make changes to NewsDaemon (even the 0.21b release)
    to ensure that $user_username is not spoofed.

    Simply assigning $user_username = '' at the top of user_info.php3
    will ensure this.

    Properly quoting all values into the MySQL query would prevent
    modifying the operation of the SQL statement.

    There are variations in quoting for different SQL database managers.

    A PHP quoting functions suitable for quoting in ODBC or MySQL,
    can be found in librock_db.php3, located at:


    The function name is librock_db_Quote()

    The problem was discovered by a source code inspection by
    Forrest J. Cavalier III, and the developers and DaemonNews
    editors were notified on January 23, 2001.

    Fixes to NewsDaemon were developed and tested by them, and
    released on January 25, 2001.


    Forrest J. Cavalier III, Mib Software Voice 570-992-8824

    http://www.rocketaware.com/ has over 30,000 links to source, libraries, functions, applications, and documentation.