[19543] in bugtraq
INDEXU Authentication By-Pass
daemon@ATHENA.MIT.EDU (Sp4rK)
Wed Mar 7 19:41:41 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0103072311160.1396-100000@debian.undersec.com>
Date: Wed, 7 Mar 2001 23:15:59 +0000
Reply-To: Sp4rK <ultrasp4rk@worldonline.es>
From: Sp4rK <ultrasp4rk@worldonline.es>
To: BUGTRAQ@SECURITYFOCUS.COM
UNDERSEC SECURITY ADVISORY 4th March 20001
=======================================================================
PROGRAM: INDEXU
VERSIONS: All versions prior to 2.0Beta (2.0Beta included)
OS: All
REMOTE: YES
LOCAL: YES
CLASS: Authentication bypass
POSTED BY: Sp4rK <sp4rk@undersec.com>
** BACKGROUND
INDEXU is a content management system software that aims to help a web
master to build a portal in just seconds. It is based in PHP code and
uses MySQL as its database. INDEXU uses a web frontend to manage every
thing.
** PROBLEM DESCRIPTION
INDEXU uses a web frontend to manage every database it uses. The admin
section is located in /admin. When you login there it asks for a user
name and password (defaults to admin/admin). Once you log in it sets a
cookie with the following format:
host.where.indexu.is.installed TRUE / FALSE 1388494785 cooki
e_admin_authenticated 1
This cookie will (or should be) deleted when the current session finis
hes, and is used to determine whether you are an admin or not
** IMPACT
Anybody who can manipulate it's cookie settings is able to act as if
he/she was the admin.
** SOLUTION
Use .htaccess authentication to prevent users from accessing adminitra
tor area.
** NOTE
INDEXU Team was informed of this bug on 2001-03-02.
Their response:
" Hi, thanks for remindering me about this.
It's true, i add 'flag' when administrator logged in. But the flag
that recognize administrator will automatically deleted when he clo
se the browser or logout. But I think it's safer enough for non-eco
mmerce website. Anyway your suggestion is very good too. I'll add
more security when in final version.
Thanks!"
The bug hasn't been fixed yet, but we hope it'll be fixed in the next
release of INDEXU.
UNDERSEC Security TEAM,
http://www.undersec.com/
============== ===== === -- - -
Sp4rK <sp4rk@undersec.com>
UNDERSEC Security Team
