Bugtraq mailing list archives
Mambo SiteServer exploit gains administrative privileges
From: Simen Bergo <sbergo () thesource no>
Date: 24 Feb 2003 17:08:16 -0000
MAMBO SITESERVER EXPLOIT GAINS ADMINISTRATIVE PRIVILEGES ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯ PROGRAM: Mambo SiteServer HOMEPAGE: http://www.mamboserver.com/ TESTED: Mambo 4.0.12 RC2 LOGIN REQUIRED: No PROOF OF CONCEPT ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯ I have created an exploit that will gain access to the host you specify. It can be found at the URL below, but must only be used on your own website for testing purposes. http://www.voidnull.com/exploit/mamboexp.phps DESCRIPTION ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯ "Mambo SiteServer is the finest open source Web Content Management System available today." (direct quote from the Mambo SiteServer website) A vulnerability in /administrator/index2.php allows any user to gain administrator access as long as they know any sessionid in the session table the script uses. (The code that is vulnerable is too big to include here) Actually, you would think just logging in as a normal user would create this sessionid, however a bug in the PHP sourcecode of the project make sure this does not happen. Anyone with a slight knowledge of PHP knows that when you set a cookie, it is not updated until you refresh the webpage. Anyone but the coders of Mambo SiteServer, that is: setcookie("sessioncookie", "$sessionID"); if ($HTTP_COOKIE_VARS["sessioncookie"]!="") { $query="INSERT into ".$dbprefix."session set session_id='$cryptSessionID', guest='', userid='$uid', usertype='$usertype', gid='$gid', username='$username'"; $database->openConnectionNoReturn($query); } As we can see, Mambo SiteServer checks if the cookie has been set before it inserts the sessionid into the table. As it has not yet been set, no sessionid is inserted and therefore we cannot "login" to the administrator directory either. Moving on in the sourcecode, to SessionCookie.php (which is called when you logout), we can see that a sessionid is inserted whenever you logout. Why? I have no idea. $current_time = time(); if ($HTTP_COOKIE_VARS["sessioncookie"]==""){ $randnum=getSessionID1(); ... $cryptrandnum=md5($randnum); ... setcookie("sessioncookie", "$randnum"); $guest=1; $query="INSERT into ".$dbprefix."session SET username='', time=$current_time, session_id='$cryptrandnum', guest=$guest"; $database->openConnectionNoReturn($query); } A cookie, looking something like the following will now be sent to the browser: sessioncookie=nh54OQIZb8ybaA2CNNdU1046102063 All we have to do is MD5-encrypt it, since that is what was done to the session that was inserted to the MySQL-table. In this example the encrypted version is: 0ebda5bbba49dc226b4ed8fc801f1d98 By accessing /administrator/index2.php with this session, Mambo SiteServer will think that we are the administrator logged in: /administrator/index2.php?session_id=0ebda5bbba49dc226b4ed8fc801f1d98 SUMMARY ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯ Gaining administrative privileges gives you access to all MySQL-databases, user passwords, news, polls and everything else the server has. Many websites run Mambo SiteServer in addition to other scripts that requires MySQL, and this is therefore a huge threat to many webmasters. SOLUTIONS ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯ Until Mambo release a patch for this vulnerability I suggest password- protecting your /administrator directory with .htaccess. VENDOR STATUS ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯ The vendor has reportedly been notified. They are currently developing a patch for this vulnerability.
Current thread:
- Mambo SiteServer exploit gains administrative privileges Simen Bergo (Feb 24)