Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: bt815.txt

Macromedia DW MX PHP Authentication Suit Vulnerabilities





-------------------
Product: PHP Authentication Suit for DreamWeaver
Vendor: Macromedia 
Versions:
VULNERABLE

- DreamWeaver MX 6.0 
- All the PHP Auth systems created with this 
- Variables : ALL LIKE accessdenied

NOT VULNERABLE

- ?
---------------------

Description:

The PHP User Authentication Suite consists of four server behaviors for 
restricting access to websites for the Dreamweaver MX PHP server model. 
The four server behaviors are:
- Log In User
- Restrict Access to Page
- Log Out User
- Check New Username

-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------

I encountered a XSS ( Cross Site Scripting ) vulnerability in the LOGIN 
system that allows you to include script code
in the result page / login form.

---------------------
| XSS IN            |
|      LOGIN FORMS  | 
---------------------

The XSS is in the variable of the access denied to url ( url encoded ) :

http://[TARGET]/[PATH]/[LOGIN PAGE].php?[ACCESS DENIED VARIABLE]=%2F
[DIR1]%2F[DIR2]%2F[DIR3]%2F[FORBIDDEN PAGE]

This occurs when you attempt to access to a page of the website that 
requires a valid authentication tokens.

The page redirects you to the [LOGIN PAGE] and it includes an special 
variable in query , [ACCESS DENIED VARIABLE]= with
the denied page url that was accessed ( from the root directory , 
e.x. /dir1/dir2/dir3/secret.php ) encoded with url strings.

The XSS attack occurs when you write script code in the variable by 
closing the form tags:

http://[TARGET]/[PATH]/[LOGIN PAGE].php?[ACCESS DENIED VARIABLE]
="><script>alert('.::\/\|NSRG-18-7|/\/::.');</script>


Examples:

http://www.victim.foo/secrets/login.php?accessdenied=%2Fsecrets%
2Findex.php <- ( /secrets/index.php )

http://www3.bigbank.biz/admin/ccarddb/admin.php?accessdenied=%2Fadmin%
2Fccarddb%2Fexport.database.content.php <- 
( /admin/ccarddb/export.database.content.php )

http://www.sco.fm/is/a/big/*h*t.php?notalinuxerror=%2Flinuxsourcecode%
2Fcopytosco.php <- ( /linuxsourcecode/copytosco.php )

- Proof of Concepts: -

Access to a forbidden page , get an url like this:

http://TESTING.FOO/SECRETS/LOGIN1.php?[ACCESS DENIED VARIABLE]=%
2Fsecrets%2Fbankaccounts.php

And modify the variable like this:

http://TESTING.FOO/SECRETS/LOGIN1.php?ACCESSDENIED="><iframe src="ANTI-
TESTING.FOO"></iframe>

-----------
| CODES   |
-----------

The LOGIN Page code:

<?php require_once('[SQL CONNECTION]'); ?>
<?php
// *** Logout the current user.
$FF_Logout = $HTTP_SERVER_VARS['PHP_SELF'] . "?FF_Logoutnow=1";
if (isset($HTTP_GET_VARS['FF_Logoutnow']) && $HTTP_GET_VARS
['FF_Logoutnow']=="1") {
  session_start();
  session_unregister("MM_Username");
  session_unregister("MM_UserAuthorization");
  $FF_logoutRedirectPage = "[LOGIN PAGE]";
  // redirect with URL parameters (remove the "FF_Logoutnow" query 
param).
  if ($FF_logoutRedirectPage == "") $FF_logoutRedirectPage = 
$HTTP_SERVER_VARS['PHP_SELF'];
  if (!strpos($FF_logoutRedirectPage, "?") && $HTTP_SERVER_VARS
['QUERY_STRING'] != "") {
    $FF_newQS = "?";
    reset ($HTTP_GET_VARS);
    while (list ($key, $val) = each ($HTTP_GET_VARS)) {
      if($key != "FF_Logoutnow"){
        if (strlen($FF_newQS) > 1) $FF_newQS .= "&";
        $FF_newQS .= $key . "=" . urlencode($val);
      }
    }
    if (strlen($FF_newQS) > 1) $FF_logoutRedirectPage .= $FF_newQS;
  }
  header("Location: $FF_logoutRedirectPage");
  exit;
}

// *** Start the session
session_start();
// *** Validate request to log in to this site.
$FF_LoginAction = $HTTP_SERVER_VARS['PHP_SELF'];
if (isset($HTTP_SERVER_VARS['QUERY_STRING']) && $HTTP_SERVER_VARS
['QUERY_STRING']!="") $FF_LoginAction .= "?".$HTTP_SERVER_VARS
['QUERY_STRING'];
if (isset($HTTP_POST_VARS['username'])) {
  $FF_valUsername=$HTTP_POST_VARS['username'];
  $FF_valPassword=$HTTP_POST_VARS['password'];
  $FF_fldUserAuthorization="UID";
  $FF_redirectLoginSuccess="access_granted.php";
  $FF_redirectLoginFailed="access_denied.php";
  $FF_rsUser_Source="SELECT USERNAME, PASSWD ";
  if ($FF_fldUserAuthorization != "") $FF_rsUser_Source .= "," . 
$FF_fldUserAuthorization;
  $FF_rsUser_Source .= " FROM [TABLE] WHERE USERNAME='" . 
$FF_valUsername . "' AND PASSWD='" . $FF_valPassword . "'";
  mysql_select_db($database_unp43s, $unp43s);
  $FF_rsUser=mysql_query($FF_rsUser_Source, $unp43s) or die(mysql_error
());
  $row_FF_rsUser = mysql_fetch_assoc($FF_rsUser);
  if(mysql_num_rows($FF_rsUser) > 0) {
    // username and password match - this is a valid user
    $MM_Username=$FF_valUsername;
    session_register("MM_Username");
    if ($FF_fldUserAuthorization != "") {
      $MM_UserAuthorization=$row_FF_rsUser[$FF_fldUserAuthorization];
    } else {
      $MM_UserAuthorization="";
    }
************************************************************************
*****\THIS PART INCLUDES THE AFFECTED VARIABLES   
 session_register("MM_UserAuthorization");
    if (isset($accessdenied) && false) {
      $FF_redirectLoginSuccess = $accessdenied;
    }
    mysql_free_result($FF_rsUser);
    session_register("FF_login_failed");
	$FF_login_failed = false;
    header ("Location: $FF_redirectLoginSuccess");
    exit;
  }
  mysql_free_result($FF_rsUser);
  session_register("FF_login_failed");
  $FF_login_failed = true;
  header ("Location: $FF_redirectLoginFailed");
  exit;
}

?>

\\\\\\\\\\\\\\\\\\\\\\\\\\/::.- Access Restriction system with the XSS

<?php
// *** Restrict Access To Page: Grant or deny access to this page
$FF_authorizedUsers=" xXx";
$FF_authFailedURL="[LOGIN PAGE]";
$FF_grantAccess=0;
session_start();
if (isset($HTTP_SESSION_VARS["MM_Username"])) {
  if (true || !(isset($HTTP_SESSION_VARS["MM_UserAuthorization"])) || 
$HTTP_SESSION_VARS["MM_UserAuthorization"]=="" || strpos
($FF_authorizedUsers, $HTTP_SESSION_VARS["MM_UserAuthorization"])) {
    $FF_grantAccess = 1;
  }
}
if (!$FF_grantAccess) {
  $FF_qsChar = "?";
  if (strpos($FF_authFailedURL, "?")) $FF_qsChar = "&";
  $FF_referrer = $HTTP_SERVER_VARS['PHP_SELF'];
  if (isset($HTTP_SERVER_VARS['QUERY_STRING']) && strlen
($HTTP_SERVER_VARS['QUERY_STRING']) > 0) $FF_referrer .= "?" . 
$HTTP_SERVER_VARS['QUERY_STRING'];
 -----------------------------------------------------------------------
--->
////////////////////////////////////////////////////////////////////////
////////////////////////////\
  $FF_authFailedURL = $FF_authFailedURL . 
$FF_qsChar . "accessdenied=" . urlencode($FF_referrer);//\ \
////////////////////////////////////////////////////////////////////////
//////////////////////////\ \ \
________________________________________________________________________
________________________________
  header("Location: $FF_authFailedURL");
  exit;
}
?>
\\\\\\\\\\\\\\\\\\\\\\ now the affected code at access restriction 
system

-----------
|solution:|
-----------

Replace :

 -----------------------------------------------------------------------
--->
////////////////////////////////////////////////////////////////////////
////////////////////////////\
  $FF_authFailedURL = $FF_authFailedURL . 
$FF_qsChar . "accessdenied=" . urlencode($FF_referrer);//\ \
////////////////////////////////////////////////////////////////////////
//////////////////////////\ \ \
________________________________________________________________________
________________________________

with:

 -----------------------------------------------------------------------
--->
////////////////////////////////////////////////////////////////////////
////////////////////////////\
  $FF_authFailedURL = $FF_authFailedURL . 
$FF_qsChar . "accessdenied=Your attempt was recorded";//\ \
////////////////////////////////////////////////////////////////////////
//////////////////////////\ \ \
________________________________________________________________________
________________________________ 

-----------
| CONTACT |
-----------

Lorenzo Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com
security.novappc.com
www.lorenzohgh.com
______________________


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH