Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

phpsquidpass: unauthorized user deleting

From: ppp-design <security () ppp-design de>
Date: Sun, 23 Jun 2002 17:50:20 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ppp-design found the following design error in phpsquidpass:


Details
- -------
Product: phpsquidpass
Affected Version: 0.11 and maybe all versions before
Immune Version: 0.2
OS affected: all OS with php
Vendor-URL: http://sourceforge.net/projects/phpsquidpass
Vendor-Status: informed, new version available
Security-Risk: low
Remote-Exploit: Yes


Introduction
- ------------
phpsquidpass is a php frontend for squid users to change their
passwords. Unfortunately the software suffers of an design error which
can lead to overwriting existing users.


More details
- ------------
The problem is the wrong use of the php function ereg. While searching
for the username the regular expression used is "$username:". This
leads to finding all usernames that end in $username.


Proof-of-concept
- ----------------
$ cat /etc/squid/conf/proxy_users
otheruser:abcabcabcabc
user:u2rsop.rgGdMQ

Password for otheruser is unknown, password for user is "pppdesign".

Now use phpsquidpass: Log in with username "user", old password
"pppdesign", new password "anything".

$ cat /etc/squid/conf/proxy_users
user:qOeMIgXWkhxD.
user:S6UsDZDEwc1aY

The username "otheruser" is replaced with "user", the password is
"anything" for both lines. This will work everytime the short username
is tail of the long one and the long one is placed before the shorter
username.


Temporary-fix
- -------------
Replace the regular expressions:

54c54
<     if (!ereg("$username:.",$password_file)) {

    if (!ereg("(^$username:.|\n$username:.)",$password_file)) {

63c63
<        if (ereg("$username:.",$line)) {

       if (ereg("(^$username:.|\n$username:.)",$line)) {

115c115
<           if (ereg("$username:.",$password_file[$x])) {

          if (ereg("^($username:.)",$password_file[$x])) {




Fix
- ---
Use at least phpsquidpass v0.2, which fixes the bug nearly the same
way the temporary fix does.


Security-Risk
- -------------
Only valid users can make use of this bug and it is quite easy to see
who has overwritten an other user because his username is appearing
twice in the password file. This is why we rate the risk of this bug
to low.


Vendor status
- -------------
The author reacted very fast within 6 hours and published a new
version, that fixes the vulnerability.


Disclaimer
- ----------
All information that can be found in this advisory is believed to be
true, but maybe it isn't. ppp-design can not be held responsible for
the use or missuse of this information. Redistribution of this text is
only permitted if the text has not been altered and the original
author ppp-design (http://www.ppp-design.de) is mentioned.


This advisory can be found online:
http://www.ppp-design.de/advisories.php



- --
ppp-design
http://www.ppp-design.de
Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
Fingerprint: 5B02 0AD7 A176 3A4F CE22  745D 0D78 7B60 B3B5 451A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org

iD8DBQE9Fe47DXh7YLO1RRoRAtKOAJ9dLTxr+jsiCSxYBoiAHhSDqRNCAwCg+by4
078O8P+OrkFBPh+WwzTsA54=
=ffLc
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: