lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <27e6e559819c211bfd7eb7be2d80d982@informatik.rwth-aachen.de>
From: dornseif at informatik.rwth-aachen.de (Maximillian Dornseif)
Subject: Advisory: Authentication bypass in CitrusDB

                  Advisory: Authentication bypass in CitrusDB

A group of Students in our lab called RedTeam found an authentication  
bypass vulnerability in CitrusDB which can
result in complete corruption of the installed CitrusDB application.

Details
=======

Product: CitrusDB
Affected Version: 0.3.6 (verified), probably <=0.3.6
Immune Version: none (2005-01-30)
OS affected: all
Security-Risk: very high
Remote-Exploit: yes
Vendor-URL: http://www.citrusdb.org/
Vendor-Status: informed
Advisory-URL:   
http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005 
-002
Advisory-Status: public
CVE: CAN-2005-0408  
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0408#)

Introduction
============

Description from vendor:
"CitrusDB is an open source customer database application that uses PHP  
and a
database backend (currently MySQL) to keep track of customer  
information,
services, products, billing, and customer service information."

CitrusDB uses the same personal cookie for every user at each time for
identification.

More Details
============

CitrusDB uses a cookie user_name to determine the name of the user and a
cookie id_hash to check if the user_name is valid. The id_hash is a md5
checksum of the username with the string "boogaadeeboo" appended.
Example:
user_name: admin
id_hash: md5sum("adminboogaadeeboo") = 4b3b2c8666298ae9771e9b3d38c3f26e
An attacker only needs to guess a correct username, "admin" normally  
will
work since it is the default administrator name in CitrusDB.

Proof of Concept
================

curl -D - --cookie "id_hash=4b3b2c8666298ae9771e9b3d38c3f26e;
user_name=admin" http://<targethost>/citrusdb/tools/index.php

Workaround
==========

Change $hidden_hash_var in /citrusdb/include/user.inc.php to a value
different than "boogaadeeboo". This way the an attacker needs to  
acquire a
correct cookie to get access.

Fix
===

citusdb should determine a value for $hidden_hash_var at install time
ensuring that this value is different

Security Risk
=============

The security risk is very high because an attacker may gain full  
control of
CitrusDB.

History
=======

2005-02-04 Email sent to author
2005-02-12 CVE number requested
2005-02-14 posted as CAN-2005-0408

RedTeam
=======

RedTeam is penetration testing group working at the Laboratory for  
Dependable
Distributed Systems at RWTH-Aachen University. You can find more  
Information
on the RedTeam Project at  
http://tsyklon.informatik.rwth-aachen.de/redteam/

-- 
Maximillian Dornseif, Dipl. Jur., CISSP
Laboratory for Dependable Distributed Systems, RWTH Aachen University
Tel. +49 241 80-21431 - http://md.hudora.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2432 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050214/954eb315/smime.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ