Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: phpSlash account hijacking vulnerability
From: tobozo () madchat org
Date: 7 Jul 2005 17:28:01 -0000


                          Sysdream && Serial Savate System.

<[( advisory )]>---------------------------------------<[(  xxxxxxxxxxx6.adv.en

Program          : PHPSLASH
Homepage         : http://www.php-slash.org
Author Contacted : 05/may/2005
Author's Answer  : 06/may/2005 joestewart
Version tested   : 0.7.1, 0.7.2, 0.8.*, dev
Found by         : crashfr at sysdream dot com
This Advisory    : tobozo at phpsecure dot info


- Application description
  ~~~~~~~~~~~~~~~~~~~~~~~

phpSlash is a powerful CMS written in php that provides easy and flexible means to
publish community-based websites.

It currently boasts full HTML templates, an OO design, the ability to operate in a
hosted environment.

It provides an easy setup wizard, several WYSIWYG, and the ability
to absorb other applications as modules (psl mods) such as PHPlist, Wikka, DotProject,
HCL, Coppermine, eGroupWare ....

It also supports external plugins for content rendering like BBCode integration,
Markdown, Smarty and Textile.

PHPSlash does NOT use PEAR (but PHPLIB), so it is NOT vulnerable to PEAR::XML-RPC flaw ;-)


- Problem description:
  ~~~~~~~~~~~~~~~~~~~~

There is an input validation flaw in Author.class::saveProfile which can lead to
gain root privileges by hijacking user account.

In function saveProfile, author_id value is retrieved from the wrong source : user
info in $ary is not compared to the author_id associated to the running session ...


<?
   /* Code extracted from Author.class */

   function saveProfile($ary) {

      global $HTTP_COOKIE_VARS;

      // (  ... snip ... )

/********************************************************************
*  This sql query is using data from an untrusted source ( $ary )   *
********************************************************************/

      $this->db->query("SELECT author_id
                        FROM psl_author
                        WHERE author_id = '".$ary['author_id']."'");

/********************************************************************
* This condition is not relevant in that context, it is the current *
* author_id (from $this->auth) that should eventually be compared   *
********************************************************************/

      if ($this->db->next_record()) {
         if ($ary['password'] == "") {
            $q  = "UPDATE psl_author
                      SET author_name     = '$ary[author_name]',
                          author_realname = '$ary[author_realname]',
                          url      = '$ary[url]',
                          email    = '$ary[email]',
                          quote    = '$ary[quote]',
                          author_options = '$serial_opts'
                    WHERE author_id   = '$ary[author_id]'";
                    // use $this->auth->auth['uid'] instead of untrusted $ary
         } else {
            $q  = "UPDATE psl_author
                   SET author_name     = '$ary[author_name]',
                       author_realname = '$ary[author_realname]',
                       url      = '$ary[url]',
                       email    = '$ary[email]',
                       quote    = '$ary[quote]',
                      password = MD5('$ary[author_name]:$ary[password]'),
                       author_options = '$serial_opts'
                 WHERE author_id   = '$ary[author_id]'";

             /************************************************************/
             // use $this->auth->auth['uid'] and $this->auth->auth['uname']
             // instead of untrusted $ary
             /************************************************************/
         }
      }

      // (  ... snip ... )

   }

?>




- Impact:
  ~~~~~~~

A malicious registered user can forge a http request that will overwrite
preferences of other author(s) (including author realame, email addr, url,
and password)

A malicious developper can easily code an automated attack with the help of
the self-registration capacity offered by phpslash and build cms-based zombie
network.

In fact any registered user with AuthorSaveProfile perm can overwrite other
account's preferences.

Vulnerable site's recognition may vary depending on configuration and version
of the package, the ability to match them will depend principally on version
identification, this should be subject for a second bulletin uncovering the
more generic html fingerprinting problem found in the common footer templates.

The point to focus on to identify if your version is vulnerable or not are the
default perms assigned to a self-registered user (AuthorProfileSave, id 50).

Some upgrades (7 to 8) seem not to have this perm set, and therefore are not
vulnerable.

Some versions with config value 'authmode' set to 'log' are less vulnerable to
manual or automated attacks.



- Exploit:
  ~~~~~~~~

based on the knowledge of the following informations :

- the site's login url (predictable filename : login.php?login=yes&mode=reg)
- the ability to register without validation (logged in after registration)
- the ability to update users' profile (change author name)
- any existing pair author_realname/author_id (eg. found in search.php's html source code)
- the root's author_id and the admin's author_realname (predictable as found on CVS source)

account hijacking exploit can be done by performing the following actions :

- register for an account
- log in
- verify that you can update your profile
- copy the html source found in profile.php somewhere on your hard drive and edit
- set the target value in the <form> to match the site's url
- alter the value of the input field 'author-name' to match the targetted users' author_name
- alter the value of the input field 'author_id' to match the targetted user's author_id
- open the html file in a browser
- type the desired password (twice)
- submit the form
- logout
- login as the targetted user's author_name and the previously chosen password
- voila


Fix :
~~~~~

Download the latest package (0.8.1) from the phpslash project page :

http://sourceforge.net/project/showfiles.php?group_id=10566
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


- Contact us:
  ~~~~~~~~~~~
http://www.phpsecure.info
http://www.sysdream.com

tobozo at phpsecure dot info
crashfr at sysdream dot com

- Greetings:
  ~~~~~~~

The phpSlash Team, Serial Savate System, crashfr, mOg

[EOF]


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]