[UNIX] phpSquidPass Software Design Error

From: support@securiteam.com
Date: 07/18/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 18 Jul 2002 08:06:00 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  phpSquidPass Software Design Error
------------------------------------------------------------------------

SUMMARY

 <http://sourceforge.net/projects/phpsquidpass> phpSquidPass is a PHP
front-end for Squid users to change their passwords. Unfortunately, the
software suffers of a design error that can lead to overwriting existing
users.

DETAILS

Vulnerable systems:
 * phpSquidPass version 0.11

Immune systems:
 * phpSquidPass version 0.2

The problem is the wrong use of the php function ereg. While searching for
the username the regular expression used is "$username:". This leads to
finding all usernames that end in $username.

Proof-of-concept:
$ cat /etc/squid/conf/proxy_users
otheruser:abcabcabcabc
user:u2rsop.rgGdMQ

Password for otheruser is unknown password for user is "pppdesign".

Now use phpSquidPass: Log in with username "user", old password
"pppdesign", new password "anything".

$ cat /etc/squid/conf/proxy_users
user:qOeMIgXWkhxD.
user:S6UsDZDEwc1aY

The username "otheruser" is replaced with "user", the password is
"anything" for both lines. This will work every time the short username is
tail of the long one and the long one is placed before the shorter
username.

Temporary-fix:
Replace the regular expressions:

54c54
< if (!ereg("$username:.",$password_file)) {
> if (!ereg("(^$username:.|\n$username:.)",$password_file)) {
63c63
< if (ereg("$username:.",$line)) {
> if (ereg("(^$username:.|\n$username:.)",$line)) {
115c115
< if (ereg("$username:.",$password_file[$x])) {
> if (ereg("^($username:.)",$password_file[$x])) {
 
Fix:
Use the latest phpSquidPass (version 0.2), which fixes the bug nearly the
same way the temporary fix does.

Solution:
The vendor has issued a fixed version.

ADDITIONAL INFORMATION

The information has been provided by <mailto:security@ppp-design.de>
ppp-design.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages