Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:7826
HistoryFeb 15, 2005 - 12:00 a.m.

[Full-Disclosure] Advisory: Authentication bypass in CitrusDB

2005-02-1500:00:00
vulners.com
11
JSON
              Advisory: Authentication bypass in CitrusDB

A group of Students in our lab called RedTeam found an authentication
bypass vulnerability in CitrusDB which can
result in complete corruption of the installed CitrusDB application.

Details

Product: CitrusDB
Affected Version: 0.3.6 (verified), probably <=0.3.6
Immune Version: none (2005-01-30)
OS affected: all
Security-Risk: very high
Remote-Exploit: yes
Vendor-URL: http://www.citrusdb.org/
Vendor-Status: informed
Advisory-URL:
http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005
-002
Advisory-Status: public
CVE: CAN-2005-0408
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0408#&#41;

Introduction

Description from vendor:
"CitrusDB is an open source customer database application that uses PHP
and a
database backend (currently MySQL) to keep track of customer
information,
services, products, billing, and customer service information."

CitrusDB uses the same personal cookie for every user at each time for
identification.

More Details

CitrusDB uses a cookie user_name to determine the name of the user and a
cookie id_hash to check if the user_name is valid. The id_hash is a md5
checksum of the username with the string "boogaadeeboo" appended.
Example:
user_name: admin
id_hash: md5sum("adminboogaadeeboo") = 4b3b2c8666298ae9771e9b3d38c3f26e
An attacker only needs to guess a correct username, "admin" normally
will
work since it is the default administrator name in CitrusDB.

Proof of Concept

curl -D - --cookie "id_hash=4b3b2c8666298ae9771e9b3d38c3f26e;
user_name=admin" http://<targethost>/citrusdb/tools/index.php

Workaround

Change $hidden_hash_var in /citrusdb/include/user.inc.php to a value
different than "boogaadeeboo". This way the an attacker needs to
acquire a
correct cookie to get access.

Fix

citusdb should determine a value for $hidden_hash_var at install time
ensuring that this value is different

Security Risk

The security risk is very high because an attacker may gain full
control of
CitrusDB.

History

2005-02-04 Email sent to author
2005-02-12 CVE number requested
2005-02-14 posted as CAN-2005-0408

RedTeam

RedTeam is penetration testing group working at the Laboratory for
Dependable
Distributed Systems at RWTH-Aachen University. You can find more
Information
on the RedTeam Project at
http://tsyklon.informatik.rwth-aachen.de/redteam/


Maximillian Dornseif, Dipl. Jur., CISSP
Laboratory for Dependable Distributed Systems, RWTH Aachen University
Tel. +49 241 80-21431 - http://md.hudora.de/

Related

nessus 1
cve 1
securityvulns 1
nessus
nessus
CitrusDB Static id_hash Admin Authentication Bypass
2005-02-16 00:00:00
cve
cve
CVE-2005-0408
2005-02-14 05:00:00
securityvulns
securityvulns
[Full-Disclosure] Advisory: Upload Authorization bypass in CitrusDB
2005-02-15 00:00:00
JSON
Related for SECURITYVULNS:DOC:7826
nessus1cve1securityvulns1