exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

metadotPortal.txt

metadotPortal.txt
Posted Dec 28, 2005
Authored by Gerry Chng, Claudean Zheng

Metadot versions 6.4.4 and below suffer from a stale variable issue that allows users to gain administrative privileges.

tags | advisory
SHA-256 | cf7d121b03dc61261a92e45cbee18b0167a6a6a3889d56781bd37a0e30fea7fa

metadotPortal.txt

Change Mirror Download
Title
---------------------------------------------------------------------------------------
Vulnerability in Metadot portal server allows users to gain
administrative privileges

Vendor
---------------------------------------------------------------------------------------
Metadot Corporation (http://www.metadot.com)

Summary
---------------------------------------------------------------------------------------
Any logged in user can be added into any group, including the SITE_MGR
group, effectively gaining a subset of the administrative privileges.

Description
--------------------------------------------------------------------------------------
Metadot is an open-source portal software used for creating websites
and portals. It provides users with a quick interface to start
building their web portals. Features available in Metadot's portal
server include discussion forums, polls, calendars, FAQs etc.

Vulnerability
---------------------------------------------------------------------------------------
During a penetration test, it was discovered that an authenticated
user can access and manage groups which they are not owners or members
of. This includes the Metadot default site manager (SITE_MGR) group.
As a result, users can manage any group and add or remove accounts
from that group.

Hence, to gain administrative privileges on a Metadot portal, an
attacker can simply add himself into SITE_MGR group. Site managers
are allowed to perform many administrative tasks and have the ability
to modify site content. This exploit to gain administrative
privileges can be carried out as long as the attacker knows the group
identification number of SITE_MGR group as well as the correct fields
to alter in the URL.

The vulnerability is caused by stale global variables ($IS_OWNER,
$IS_MANAGER, $IS_ADMIN) which have not been reset appropriately in
Metadot's "Group.pm" Perl module. In the case that a previous
operation has set the parameters to 1, a subsequent call does not
reset it. This vulnerability is seen in the
set_group_permission_variables() function call as illustrated in the
code snippet below.

Code snippet from Group.pm
---------------------------------

sub set_group_permission_variables {
my $self = shift;
my $grp_id = $self->{grp_id};
my $owner_uid = $USER->{uid};

if (DBAccess->sqlSelect ("group_name", "grp", "grp_id = $grp_id
and userid = '$owner_uid'")) {
$IS_OWNER = 1;
} elsif ( $ACCESS_BROKER->is_allowed_to_do('manage_registrations') ) {
$IS_ADMIN = 1;
} elsif (DBAccess->sqlSelect ("is_manager", "grpmembers", "grp_id
= $grp_id and userid = '$owner_uid' and is_manager = 1")) {
$IS_MANAGER = 1;
}
}

It can be seen from the codes that the variables $IS_OWNER, $IS_ADMIN,
and $IS_MANAGER are only set to '1' if privileges are correct. In the
event that the privileges are incorrect, the values are not set and
the global variables retain its previous values as set from other
operations. Thus, this vulnerability can be exploited by performing
operations that first set this variable to '1', then access the
SITE_MGR group.

Affected versions
---------------------------------------------------------------------------------------
The vulnerability affects Metadot version 6.4.4 as well as earlier versions.

Solution
---------------------------------------------------------------------------------------
Metadot has since addressed this bug in its latest download (version
6.4.5) available at http://www.metadot.com/

Alternatively, to fix the problem, reset the global variables in
"Group.pm" by adding the 5th line ($IS_OWNER=$IS_ADMIN=$IS_MANAGER=0)
in set_group_permission_variables method:

sub set_group_permission_variables {
my $self = shift;
my $grp_id = $self->{grp_id};
my $owner_uid = $USER->{uid};

$IS_OWNER = $IS_ADMIN = $IS_MANAGER = 0;

if (DBAccess->sqlSelect ("group_name", "grp", "grp_id = $grp_id and
userid = '$owner_uid'")) {
$IS_OWNER = 1;}
elsif ( $ACCESS_BROKER->is_allowed_to_do('manage_registrations') ) {
$IS_ADMIN = 1;}
elsif (DBAccess->sqlSelect ("is_manager", "grpmembers", "grp_id =
$grp_id and userid = '$owner_uid' and is_manager = 1")) {
$IS_MANAGER = 1;}
}

History
---------------------------------------------------------------------------------------
Discovery: 29 November 2005
Vendor notified: 29 November 2005
Patch released: 18 December 2005
Public disclosure: 20 December 2005

Authors
---------------------------------------------------------------------------------------
Gerry Chng
Claudean Zheng

Gerry and Claudean are part of the Attack & Penetration team in Ernst
& Young Labs for Internet and Security (EYLIS)
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close