Re: phpSlash account hijacking vulnerability
Sysdream && Serial Savate System.
<[( advisory )]>---------------------------------------<[( xxxxxxxxxxx6.adv.en
Program : PHPSLASH
Homepage : http://www.php-slash.org
Author Contacted : 05/may/2005
Author's Answer : 06/may/2005 joestewart
Version tested : 0.7.1, 0.7.2, 0.8.*, dev
Found by : crashfr at sysdream dot com
This Advisory : tobozo at phpsecure dot info
- Application description
~~~~~~~~~~~~~~~~~~~~~~~
phpSlash is a powerful CMS written in php that provides easy and flexible means
to
publish community-based websites.
It currently boasts full HTML templates, an OO design, the ability to operate
in a
hosted environment.
It provides an easy setup wizard, several WYSIWYG, and the ability
to absorb other applications as modules (psl mods) such as PHPlist, Wikka,
DotProject,
HCL, Coppermine, eGroupWare ....
It also supports external plugins for content rendering like BBCode integration,
Markdown, Smarty and Textile.
PHPSlash does NOT use PEAR (but PHPLIB), so it is NOT vulnerable to
PEAR::XML-RPC flaw ;-)
- Problem description:
~~~~~~~~~~~~~~~~~~~~
There is an input validation flaw in Author.class::saveProfile which can lead to
gain root privileges by hijacking user account.
In function saveProfile, author_id value is retrieved from the wrong source :
user
info in $ary is not compared to the author_id associated to the running session
...
<?
/* Code extracted from Author.class */
function saveProfile($ary) {
global $HTTP_COOKIE_VARS;
// ( ... snip ... )
/********************************************************************
* This sql query is using data from an untrusted source ( $ary ) *
********************************************************************/
$this->db->query("SELECT author_id
FROM psl_author
WHERE author_id = '".$ary['author_id']."'");
/********************************************************************
* This condition is not relevant in that context, it is the current *
* author_id (from $this->auth) that should eventually be compared *
********************************************************************/
if ($this->db->next_record()) {
if ($ary['password'] == "") {
$q = "UPDATE psl_author
SET author_name = '$ary[author_name]',
author_realname = '$ary[author_realname]',
url = '$ary[url]',
email = '$ary[email]',
quote = '$ary[quote]',
author_options = '$serial_opts'
WHERE author_id = '$ary[author_id]'";
// use $this->auth->auth['uid'] instead of untrusted $ary
} else {
$q = "UPDATE psl_author
SET author_name = '$ary[author_name]',
author_realname = '$ary[author_realname]',
url = '$ary[url]',
email = '$ary[email]',
quote = '$ary[quote]',
password = MD5('$ary[author_name]:$ary[password]'),
author_options = '$serial_opts'
WHERE author_id = '$ary[author_id]'";
/************************************************************/
// use $this->auth->auth['uid'] and $this->auth->auth['uname']
// instead of untrusted $ary
/************************************************************/
}
}
// ( ... snip ... )
}
?>
- Impact:
~~~~~~~
A malicious registered user can forge a http request that will overwrite
preferences of other author(s) (including author realame, email addr, url,
and password)
A malicious developper can easily code an automated attack with the help of
the self-registration capacity offered by phpslash and build cms-based zombie
network.
In fact any registered user with AuthorSaveProfile perm can overwrite other
account's preferences.
Vulnerable site's recognition may vary depending on configuration and version
of the package, the ability to match them will depend principally on version
identification, this should be subject for a second bulletin uncovering the
more generic html fingerprinting problem found in the common footer templates.
The point to focus on to identify if your version is vulnerable or not are the
default perms assigned to a self-registered user (AuthorProfileSave, id 50).
Some upgrades (7 to 8) seem not to have this perm set, and therefore are not
vulnerable.
Some versions with config value 'authmode' set to 'log' are less vulnerable to
manual or automated attacks.
- Exploit:
~~~~~~~~
based on the knowledge of the following informations :
- the site's login url (predictable filename : login.php?login=yes&mode=reg)
- the ability to register without validation (logged in after registration)
- the ability to update users' profile (change author name)
- any existing pair author_realname/author_id (eg. found in search.php's html
source code)
- the root's author_id and the admin's author_realname (predictable as found on
CVS source)
account hijacking exploit can be done by performing the following actions :
- register for an account
- log in
- verify that you can update your profile
- copy the html source found in profile.php somewhere on your hard drive and
edit
- set the target value in the <form> to match the site's url
- alter the value of the input field 'author-name' to match the targetted
users' author_name
- alter the value of the input field 'author_id' to match the targetted user's
author_id
- open the html file in a browser
- type the desired password (twice)
- submit the form
- logout
- login as the targetted user's author_name and the previously chosen password
- voila
Fix :
~~~~~
Download the latest package (0.8.1) from the phpslash project page :
http://sourceforge.net/project/showfiles.php?group_id=10566
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Contact us:
~~~~~~~~~~~
http://www.phpsecure.info
http://www.sysdream.com
tobozo at phpsecure dot info
crashfr at sysdream dot com
- Greetings:
~~~~~~~
The phpSlash Team, Serial Savate System, crashfr, mOg
[EOF]