rt-sa-2005-002.txt

rt-sa-2005-002.txt: Posted Feb 25, 2005; Site tsyklon.informatik.rwth-aachen.de; CitrusDB suffers from an authentication bypass vulnerability in version 0.3.6.; tags | advisory, bypass; advisories | CVE-2005-0408; SHA-256 | 461da12ad7db956105f4b4680916f2a6a032d7b8c2a449372f7be44a28f47629; Download | Favorite | View

rt-sa-2005-002.txt


--Apple-Mail-26--887768831
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
  charset=US-ASCII;
  delsp=yes;
  format=flowed

                  Advisory: Authentication bypass in CitrusDB

A group of Students in our lab called RedTeam found an authentication  
bypass vulnerability in CitrusDB which can
result in complete corruption of the installed CitrusDB application.

Details
=======

Product: CitrusDB
Affected Version: 0.3.6 (verified), probably <=0.3.6
Immune Version: none (2005-01-30)
OS affected: all
Security-Risk: very high
Remote-Exploit: yes
Vendor-URL: http://www.citrusdb.org/
Vendor-Status: informed
Advisory-URL:   
http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005 
-002
Advisory-Status: public
CVE: CAN-2005-0408  
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0408#)

Introduction
============

Description from vendor:
"CitrusDB is an open source customer database application that uses PHP  
and a
database backend (currently MySQL) to keep track of customer  
information,
services, products, billing, and customer service information."

CitrusDB uses the same personal cookie for every user at each time for
identification.

More Details
============

CitrusDB uses a cookie user_name to determine the name of the user and a
cookie id_hash to check if the user_name is valid. The id_hash is a md5
checksum of the username with the string "boogaadeeboo" appended.
Example:
user_name: admin
id_hash: md5sum("adminboogaadeeboo") = 4b3b2c8666298ae9771e9b3d38c3f26e
An attacker only needs to guess a correct username, "admin" normally  
will
work since it is the default administrator name in CitrusDB.

Proof of Concept
================

curl -D - --cookie "id_hash=4b3b2c8666298ae9771e9b3d38c3f26e;
user_name=admin" http://<targethost>/citrusdb/tools/index.php

Workaround
==========

Change $hidden_hash_var in /citrusdb/include/user.inc.php to a value
different than "boogaadeeboo". This way the an attacker needs to  
acquire a
correct cookie to get access.

Fix
===

citusdb should determine a value for $hidden_hash_var at install time
ensuring that this value is different

Security Risk
=============

The security risk is very high because an attacker may gain full  
control of
CitrusDB.

History
=======

2005-02-04 Email sent to author
2005-02-12 CVE number requested
2005-02-14 posted as CAN-2005-0408

RedTeam
=======

RedTeam is penetration testing group working at the Laboratory for  
Dependable
Distributed Systems at RWTH-Aachen University. You can find more  
Information
on the RedTeam Project at  
http://tsyklon.informatik.rwth-aachen.de/redteam/

-- 
Maximillian Dornseif, Dipl. Jur., CISSP
Laboratory for Dependable Distributed Systems, RWTH Aachen University
Tel. +49 241 80-21431 - http://md.hudora.de/

--Apple-Mail-26--887768831
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-signature;
  name=smime.p7s
Content-Disposition: attachment;
  filename=smime.p7s

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGWzCCAxQw
ggJ9oAMCAQICAwzibTANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh
d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt
YWlsIElzc3VpbmcgQ0EwHhcNMDQwODE4MTI1MTUxWhcNMDUwODE4MTI1MTUxWjBUMR8wHQYDVQQD
ExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMTEwLwYJKoZIhvcNAQkBFiJkb3Juc2VpZkBpbmZvcm1h
dGlrLnJ3dGgtYWFjaGVuLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxAwMVffI
m78UUzzFpUTBaD3jzSOQABB4r+iznf6HnZ8oJUYvwbjZ8Na/S8Ie4o7VXAA2Dp2ipgAtvypY3VPI
d7LVdcQVJQNOLYQnICMJf7xTtXIoC7gDlOZFRfIl0zdrvNIOx+nhXgIgoQ7/IUcGQXF5Xgjg4sp1
YH4BFNOGNwl5VqwmazxtIGz5Bxzp3MJMV21T4MDBqX9DJcT9Oq+73fCCHzJh4tyNRrBI2ty9lvUB
n4dMv86jYDPK1BJmI9dy0/NM0ryA2ShHPmnxxNPd5i0s6g41L5M72garF5/RYEViEmTryAaI2yre
0Ps4EVmGH03FLEzTFvLDJL3FeL5gGQIDAQABo2IwYDAOBgNVHQ8BAf8EBAMCA/gwEQYJYIZIAYb4
QgEBBAQDAgWgMC0GA1UdEQQmMCSBImRvcm5zZWlmQGluZm9ybWF0aWsucnd0aC1hYWNoZW4uZGUw
DAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQCJCkQHOMXRjNdwnsWFWz8553dpExvcZ6Ff
tPAoXMkArHRvenUCNY+1e9hAed7mcHs4EP9Y04V52b9tJ/NaTR6tQUS8PzO2P/Aw3hjKwh/3CdKO
FwG15KEcZW3KG0jy4Tlp8re0wcxXBxKygq0k7TRqx338MwEVPCisWB+NHumcUDCCAz8wggKooAMC
AQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh
cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNV
BAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJz
b25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3Rl
LmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYD
VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29u
YWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV
+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqq
P3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEE
QB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSG
Mmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1Ud
DwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZI
hvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNw
PP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTl
EBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggLnMIIC4wIBATBpMGIxCzAJBgNVBAYTAlpBMSUw
IwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy
c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDOJtMAkGBSsOAwIaBQCgggFTMBgGCSqGSIb3DQEJ
AzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA1MDIxNDIxMTg1M1owIwYJKoZIhvcNAQkE
MRYEFMhbtB3YdAkUNQMuAcEcXPrvAWZlMHgGCSsGAQQBgjcQBDFrMGkwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMM4m0wegYLKoZIhvcNAQkQAgsxa6BpMGIxCzAJ
BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQD
EyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDOJtMA0GCSqGSIb3DQEBAQUA
BIIBAI/B3khWgoCfM9F5peNKRlNzz1V73Ta4BCd5UESCxrmietCZ1vnO823pPUue8s92thqSrbdk
ANlJjPu8C79IGSEFGy4Dx10+8s9FNsbGdRzVIXVnLdNnzxf9ekICQbU6cu0H0JGKzH/DT/sDian7
mw9A0FAg294B7fSaR1Z6Wy0ZorxPE1QY2+mBhcVsLOu1AGYpzLCSLWkDQt6IJ25rKMgt2OxAv/gR
yYVHR2bxc06QCsc4vns1FLe66b3/s0v/GC0PH0/rWzfxXvM0hZso2Mfaod6qqgnk6oHA4T/FcBJ/
etlQIhRpg2ssr9XIWxbQdZ10sMSpJ78TH41PLw8Dr8sAAAAAAAA=

--Apple-Mail-26--887768831--

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

rt-sa-2005-002.txt

rt-sa-2005-002.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

rt-sa-2005-002.txt

Share This

rt-sa-2005-002.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems