Full Disclosure mailing list archives
Advisory: Authentication bypass in CitrusDB
From: Maximillian Dornseif <dornseif () informatik rwth-aachen de>
Date: Mon, 14 Feb 2005 22:18:53 +0100
Advisory: Authentication bypass in CitrusDBA group of Students in our lab called RedTeam found an authentication bypass vulnerability in CitrusDB which can
result in complete corruption of the installed CitrusDB application. Details ======= Product: CitrusDB Affected Version: 0.3.6 (verified), probably <=0.3.6 Immune Version: none (2005-01-30) OS affected: all Security-Risk: very high Remote-Exploit: yes Vendor-URL: http://www.citrusdb.org/ Vendor-Status: informedAdvisory-URL: http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005 -002
Advisory-Status: publicCVE: CAN-2005-0408 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0408#)
Introduction ============ Description from vendor:"CitrusDB is an open source customer database application that uses PHP and a database backend (currently MySQL) to keep track of customer information,
services, products, billing, and customer service information." CitrusDB uses the same personal cookie for every user at each time for identification. More Details ============ CitrusDB uses a cookie user_name to determine the name of the user and a cookie id_hash to check if the user_name is valid. The id_hash is a md5 checksum of the username with the string "boogaadeeboo" appended. Example: user_name: admin id_hash: md5sum("adminboogaadeeboo") = 4b3b2c8666298ae9771e9b3d38c3f26eAn attacker only needs to guess a correct username, "admin" normally will
work since it is the default administrator name in CitrusDB. Proof of Concept ================ curl -D - --cookie "id_hash=4b3b2c8666298ae9771e9b3d38c3f26e; user_name=admin" http://<targethost>/citrusdb/tools/index.php Workaround ========== Change $hidden_hash_var in /citrusdb/include/user.inc.php to a valuedifferent than "boogaadeeboo". This way the an attacker needs to acquire a
correct cookie to get access. Fix === citusdb should determine a value for $hidden_hash_var at install time ensuring that this value is different Security Risk =============The security risk is very high because an attacker may gain full control of
CitrusDB. History ======= 2005-02-04 Email sent to author 2005-02-12 CVE number requested 2005-02-14 posted as CAN-2005-0408 RedTeam =======RedTeam is penetration testing group working at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University. You can find more Information on the RedTeam Project at http://tsyklon.informatik.rwth-aachen.de/redteam/
-- Maximillian Dornseif, Dipl. Jur., CISSP Laboratory for Dependable Distributed Systems, RWTH Aachen University Tel. +49 241 80-21431 - http://md.hudora.de/
Attachment:
smime.p7s
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Advisory: Authentication bypass in CitrusDB Maximillian Dornseif (Feb 14)