Bugtraq mailing list archives
INDEXU Authentication By-Pass
From: Sp4rK <ultrasp4rk () worldonline es>
Date: Wed, 7 Mar 2001 23:15:59 +0000
UNDERSEC SECURITY ADVISORY 4th March 20001 ======================================================================= PROGRAM: INDEXU VERSIONS: All versions prior to 2.0Beta (2.0Beta included) OS: All REMOTE: YES LOCAL: YES CLASS: Authentication bypass POSTED BY: Sp4rK <sp4rk () undersec com> ** BACKGROUND INDEXU is a content management system software that aims to help a web master to build a portal in just seconds. It is based in PHP code and uses MySQL as its database. INDEXU uses a web frontend to manage every thing. ** PROBLEM DESCRIPTION INDEXU uses a web frontend to manage every database it uses. The admin section is located in /admin. When you login there it asks for a user name and password (defaults to admin/admin). Once you log in it sets a cookie with the following format: host.where.indexu.is.installed TRUE / FALSE 1388494785 cooki e_admin_authenticated 1 This cookie will (or should be) deleted when the current session finis hes, and is used to determine whether you are an admin or not ** IMPACT Anybody who can manipulate it's cookie settings is able to act as if he/she was the admin. ** SOLUTION Use .htaccess authentication to prevent users from accessing adminitra tor area. ** NOTE INDEXU Team was informed of this bug on 2001-03-02. Their response: " Hi, thanks for remindering me about this. It's true, i add 'flag' when administrator logged in. But the flag that recognize administrator will automatically deleted when he clo se the browser or logout. But I think it's safer enough for non-eco mmerce website. Anyway your suggestion is very good too. I'll add more security when in final version. Thanks!" The bug hasn't been fixed yet, but we hope it'll be fixed in the next release of INDEXU. UNDERSEC Security TEAM, http://www.undersec.com/ ============== ===== === -- - - Sp4rK <sp4rk () undersec com> UNDERSEC Security Team
Current thread:
- INDEXU Authentication By-Pass Sp4rK (Mar 07)