INDEXU Authentication By-Pass

[Sp4rK <ultrasp4rk () worldonline es>]

UNDERSEC SECURITY ADVISORY                              4th March 20001
=======================================================================
PROGRAM:   INDEXU
VERSIONS:  All versions prior to 2.0Beta (2.0Beta included)
OS:        All
REMOTE:    YES
LOCAL:     YES
CLASS:     Authentication bypass
POSTED BY: Sp4rK <sp4rk () undersec com>

** BACKGROUND
INDEXU is a content management system software that aims to help a web
master to build a portal in just seconds.  It is based in PHP code and
uses MySQL as its database. INDEXU uses a web frontend to manage every
thing.

** PROBLEM DESCRIPTION
INDEXU uses a web frontend to manage every database it uses. The admin
section is located in /admin. When you login there it asks for a user
name and password (defaults to admin/admin). Once you log in it sets a
cookie with the following format:

host.where.indexu.is.installed   TRUE   /   FALSE   1388494785   cooki
e_admin_authenticated   1

This cookie will (or should be) deleted when the current session finis
hes, and is used to determine whether you are an admin or not

** IMPACT
Anybody who  can manipulate it's cookie settings is able  to act as if
he/she was the admin.

** SOLUTION
Use .htaccess authentication to prevent users from accessing adminitra
tor area.

** NOTE
INDEXU Team was informed of this bug on 2001-03-02.
Their response:

"  Hi, thanks for remindering me about this.

   It's true, i add 'flag' when administrator logged in.  But the flag
   that recognize administrator will automatically deleted when he clo
   se the browser or logout. But I think it's safer enough for non-eco
   mmerce website.  Anyway your suggestion is very good too.  I'll add
   more security when in final version.

   Thanks!"

The bug hasn't been fixed yet,  but we hope it'll be fixed in the next
release of INDEXU.

UNDERSEC Security TEAM,
http://www.undersec.com/

============== ===== === -- -  -
Sp4rK <sp4rk () undersec com>
UNDERSEC Security Team