Owl Intranet Engine 1.00 Authentication Bypass

`Advisory: Owl Intranet Engine: Authentication Bypass  
  
During a penetration test, RedTeam Pentesting discovered an  
Authentication Bypass vulnerability in the Owl Intranet Engine, which  
allows unauthenticated users administrative access to the affected  
systems.  
  
  
Details  
=======  
  
Product: Owl Intranet Engine  
Affected Versions: 1.00, possibly all older versions  
Fixed Versions: 1.01  
Vulnerability Type: Authentication Bypass  
Security Risk: high  
Vendor URL: http://owl.anytimecomm.com  
Vendor Status: fixed version released  
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-005  
Advisory Status: published  
CVE: GENERIC-MAP-NOMATCH  
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH  
  
  
Introduction  
============  
  
"Owl is a multi user document repository (knowledge base) system written  
in PHP for publishing files/documents onto the web for a corporation,  
small business, group of people, or just for yourself."  
  
(From the vendor's homepage)  
  
  
More Details  
============  
  
The Owl Intranet Engine implements an adminstrative interface, allowing  
users in the "Administrators" group to add and edit users and generally  
maintain the Owl system. By default, a guest account is activated, that  
can be used for anonymous read-only access.  
  
Under normal circumstances, no user is allowed access to the system if  
authentication or authorisation fails. If however the guest account on  
the system is deactivated (option "Disable User"), it is possible to  
completely bypass authentication and authorisation and gain access to  
the admin area.  
  
Calling a web page belonging to the administrative interface first of  
all checks if a user is authorised to view this page. For this purpose,  
the function fIsAdmin(true) in lib/owl.lib.php is called. If the return  
value is "false", the PHP function die() is called, showing a message to  
the user that he or she is not authorized to view this page.  
  
If the return value is "true" and the guest access is disabled though,  
the PHP function header() is used to redirect the user to the login page  
without using die() to prevent the page to be built. If the browser is  
configured to not follow the redirect, the whole page content is shown  
to the attacker.   
  
As the Owl Intranet Engine uses the PHP function extract() on the global  
arrays $_POST and $_GET, it is possible to set the value of the global  
variable $userid by passing it as a GET variable. Appending the string  
"?userid=VALUE" to the URL allows to set an arbitrary value for the  
userid.  
  
The initial "admin" user always has the id "1", so this value can be  
used to get an administrative user's id. In the fIsAdmin() function, the  
access rights of the user are checked using the query  
  
"SELECT userid,groupid from membergroup where userid = '$userid' and  
groupid = '0'"  
  
The $userid variable now contains the global value "1" set via the GET  
request, so the query returns "true" and the requested page is loaded in  
the attacker's browser.  
  
  
Proof of Concept  
================  
  
A web browser that does not follow redirects is needed, for example  
Firefox with the NoRedirect extension installed and activated.  
  
  
The following URL displays the "Users&Groups" tab of the administrative  
interface:  
  
http://www.example.org/owl/admin/index.php?userid=1  
  
  
The next URL displays the mask for adding new users to the system:  
  
http://www.example.org/owl/admin/index.php?userid=1&newuser  
  
  
This URL allows direct editing of the default administrator account:  
  
http://www.example.org/owl/admin/index.php?userid=1&action=edituser&owluser=1  
  
  
Workaround  
==========  
  
A possible workaround would be to add a call to exit() after every  
header() call used for redirecting. This way, no page content will be  
displayed. The default value of the variable $userid should also be set  
to a sane default value after the call to the extract() function on the  
global $_GET and $_POST arrays.  
  
  
Fix  
===  
  
Upgrade to version 1.01.  
  
  
Security Risk  
=============  
  
This vulnerability allows unauthenticated and unauthorised users to  
access the Owl Intranet Engine with administrative access rights,  
allowing them to fully control the affected system.  
  
  
History  
=======  
  
2011-05-29 Vulnerability identified  
2011-07-26 Customer approved disclosure to vendor  
2011-10-31 Vendor notified  
2011-11-30 Vendor released fixed version and notifies customer base  
2011-12-15 Advisory released  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests, short pentests,  
performed by a team of specialised IT-security experts. Hereby, security  
weaknesses in company networks or products are uncovered and can be  
fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
http://www.redteam-pentesting.de.  
`