Sysdream && Serial Savate System. <[( advisory )]>---------------------------------------<[( xxxxxxxxxxx6.adv.en Program : PHPSLASH Homepage : http://www.php-slash.org Author Contacted : 05/may/2005 Author's Answer : 06/may/2005 joestewart Version tested : 0.7.1, 0.7.2, 0.8.*, dev Found by : crashfr at sysdream dot com This Advisory : tobozo at phpsecure dot info - Application description ~~~~~~~~~~~~~~~~~~~~~~~ phpSlash is a powerful CMS written in php that provides easy and flexible means to publish community-based websites. It currently boasts full HTML templates, an OO design, the ability to operate in a hosted environment. It provides an easy setup wizard, several WYSIWYG, and the ability to absorb other applications as modules (psl mods) such as PHPlist, Wikka, DotProject, HCL, Coppermine, eGroupWare .... It also supports external plugins for content rendering like BBCode integration, Markdown, Smarty and Textile. PHPSlash does NOT use PEAR (but PHPLIB), so it is NOT vulnerable to PEAR::XML-RPC flaw ;-) - Problem description: ~~~~~~~~~~~~~~~~~~~~ There is an input validation flaw in Author.class::saveProfile which can lead to gain root privileges by hijacking user account. In function saveProfile, author_id value is retrieved from the wrong source : user info in $ary is not compared to the author_id associated to the running session ... db->query("SELECT author_id FROM psl_author WHERE author_id = '".$ary['author_id']."'"); /******************************************************************** * This condition is not relevant in that context, it is the current * * author_id (from $this->auth) that should eventually be compared * ********************************************************************/ if ($this->db->next_record()) { if ($ary['password'] == "") { $q = "UPDATE psl_author SET author_name = '$ary[author_name]', author_realname = '$ary[author_realname]', url = '$ary[url]', email = '$ary[email]', quote = '$ary[quote]', author_options = '$serial_opts' WHERE author_id = '$ary[author_id]'"; // use $this->auth->auth['uid'] instead of untrusted $ary } else { $q = "UPDATE psl_author SET author_name = '$ary[author_name]', author_realname = '$ary[author_realname]', url = '$ary[url]', email = '$ary[email]', quote = '$ary[quote]', password = MD5('$ary[author_name]:$ary[password]'), author_options = '$serial_opts' WHERE author_id = '$ary[author_id]'"; /************************************************************/ // use $this->auth->auth['uid'] and $this->auth->auth['uname'] // instead of untrusted $ary /************************************************************/ } } // ( ... snip ... ) } ?> - Impact: ~~~~~~~ A malicious registered user can forge a http request that will overwrite preferences of other author(s) (including author realame, email addr, url, and password) A malicious developper can easily code an automated attack with the help of the self-registration capacity offered by phpslash and build cms-based zombie network. In fact any registered user with AuthorSaveProfile perm can overwrite other account's preferences. Vulnerable site's recognition may vary depending on configuration and version of the package, the ability to match them will depend principally on version identification, this should be subject for a second bulletin uncovering the more generic html fingerprinting problem found in the common footer templates. The point to focus on to identify if your version is vulnerable or not are the default perms assigned to a self-registered user (AuthorProfileSave, id 50). Some upgrades (7 to 8) seem not to have this perm set, and therefore are not vulnerable. Some versions with config value 'authmode' set to 'log' are less vulnerable to manual or automated attacks. - Exploit: ~~~~~~~~ based on the knowledge of the following informations : - the site's login url (predictable filename : login.php?login=yes&mode=reg) - the ability to register without validation (logged in after registration) - the ability to update users' profile (change author name) - any existing pair author_realname/author_id (eg. found in search.php's html source code) - the root's author_id and the admin's author_realname (predictable as found on CVS source) account hijacking exploit can be done by performing the following actions : - register for an account - log in - verify that you can update your profile - copy the html source found in profile.php somewhere on your hard drive and edit - set the target value in the
to match the site's url - alter the value of the input field 'author-name' to match the targetted users' author_name - alter the value of the input field 'author_id' to match the targetted user's author_id - open the html file in a browser - type the desired password (twice) - submit the form - logout - login as the targetted user's author_name and the previously chosen password - voila Fix : ~~~~~ Download the latest package (0.8.1) from the phpslash project page : http://sourceforge.net/project/showfiles.php?group_id=10566 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Contact us: ~~~~~~~~~~~ http://www.phpsecure.info http://www.sysdream.com tobozo at phpsecure dot info crashfr at sysdream dot com - Greetings: ~~~~~~~ The phpSlash Team, Serial Savate System, crashfr, mOg [EOF]