CVE-2005-0408
CVSS7.5
发布时间 :2005-02-14 00:00:00
修订时间 :2008-09-10 15:35:31
NMCOPS    

[原文]CitrusDB 0.3.6 and earlier generates easily predictable MD5 hashes of the user name for the id_hash cookie, which allows remote attackers to bypass authentication and gain privileges by calculating the MD5 checksum of the user name combined with the "boogaadeeboo" string, which is hard-coded in the $hidden_hash variable.


[CNNVD]CitrusDB远程认证绕过漏洞(CNNVD-200502-050)

        CitrusDB 是一个基于Web的客户关系维护和账单管理解决方案。
        CitrusDB 0.3.6及更早版本会为id_hash cookie生成易于预测的用户名MD5散列,这可让远程攻击者绕过认证,并通过计算用户名与"boogaadeeboo"字符串组合的MD5校验和来获取特权,这是在$hidden_hash变量中硬编码的。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0408
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0408
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200502-050
(官方数据源) CNNVD

- 其它链接及资源

http://www.redteam-pentesting.de/advisories/rt-sa-2005-002.txt
(VENDOR_ADVISORY)  MISC  http://www.redteam-pentesting.de/advisories/rt-sa-2005-002.txt
http://lists.grok.org.uk/pipermail/full-disclosure/2005-February/031707.html
(UNKNOWN)  FULLDISC  20050214 Advisory: Authentication bypass in CitrusDB

- 漏洞信息

CitrusDB远程认证绕过漏洞
高危 设计错误
2005-02-14 00:00:00 2006-05-12 00:00:00
远程  
        CitrusDB 是一个基于Web的客户关系维护和账单管理解决方案。
        CitrusDB 0.3.6及更早版本会为id_hash cookie生成易于预测的用户名MD5散列,这可让远程攻击者绕过认证,并通过计算用户名与"boogaadeeboo"字符串组合的MD5校验和来获取特权,这是在$hidden_hash变量中硬编码的。

- 公告与补丁

        暂无数据

- 漏洞信息 (F36180)

rt-sa-2005-002.txt (PacketStormID:F36180)
2005-02-25 00:00:00
 
advisory,bypass
CVE-2005-0408
[点击下载]

CitrusDB suffers from an authentication bypass vulnerability in version 0.3.6.

--Apple-Mail-26--887768831
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed

                  Advisory: Authentication bypass in CitrusDB

A group of Students in our lab called RedTeam found an authentication  
bypass vulnerability in CitrusDB which can
result in complete corruption of the installed CitrusDB application.

Details
=======

Product: CitrusDB
Affected Version: 0.3.6 (verified), probably <=0.3.6
Immune Version: none (2005-01-30)
OS affected: all
Security-Risk: very high
Remote-Exploit: yes
Vendor-URL: http://www.citrusdb.org/
Vendor-Status: informed
Advisory-URL:   
http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005 
-002
Advisory-Status: public
CVE: CAN-2005-0408  
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0408#)

Introduction
============

Description from vendor:
"CitrusDB is an open source customer database application that uses PHP  
and a
database backend (currently MySQL) to keep track of customer  
information,
services, products, billing, and customer service information."

CitrusDB uses the same personal cookie for every user at each time for
identification.

More Details
============

CitrusDB uses a cookie user_name to determine the name of the user and a
cookie id_hash to check if the user_name is valid. The id_hash is a md5
checksum of the username with the string "boogaadeeboo" appended.
Example:
user_name: admin
id_hash: md5sum("adminboogaadeeboo") = 4b3b2c8666298ae9771e9b3d38c3f26e
An attacker only needs to guess a correct username, "admin" normally  
will
work since it is the default administrator name in CitrusDB.

Proof of Concept
================

curl -D - --cookie "id_hash=4b3b2c8666298ae9771e9b3d38c3f26e;
user_name=admin" http://<targethost>/citrusdb/tools/index.php

Workaround
==========

Change $hidden_hash_var in /citrusdb/include/user.inc.php to a value
different than "boogaadeeboo". This way the an attacker needs to  
acquire a
correct cookie to get access.

Fix
===

citusdb should determine a value for $hidden_hash_var at install time
ensuring that this value is different

Security Risk
=============

The security risk is very high because an attacker may gain full  
control of
CitrusDB.

History
=======

2005-02-04 Email sent to author
2005-02-12 CVE number requested
2005-02-14 posted as CAN-2005-0408

RedTeam
=======

RedTeam is penetration testing group working at the Laboratory for  
Dependable
Distributed Systems at RWTH-Aachen University. You can find more  
Information
on the RedTeam Project at  
http://tsyklon.informatik.rwth-aachen.de/redteam/

-- 
Maximillian Dornseif, Dipl. Jur., CISSP
Laboratory for Dependable Distributed Systems, RWTH Aachen University
Tel. +49 241 80-21431 - http://md.hudora.de/

--Apple-Mail-26--887768831
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Disposition: attachment;
	filename=smime.p7s

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGWzCCAxQw
ggJ9oAMCAQICAwzibTANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh
d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt
YWlsIElzc3VpbmcgQ0EwHhcNMDQwODE4MTI1MTUxWhcNMDUwODE4MTI1MTUxWjBUMR8wHQYDVQQD
ExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMTEwLwYJKoZIhvcNAQkBFiJkb3Juc2VpZkBpbmZvcm1h
dGlrLnJ3dGgtYWFjaGVuLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxAwMVffI
m78UUzzFpUTBaD3jzSOQABB4r+iznf6HnZ8oJUYvwbjZ8Na/S8Ie4o7VXAA2Dp2ipgAtvypY3VPI
d7LVdcQVJQNOLYQnICMJf7xTtXIoC7gDlOZFRfIl0zdrvNIOx+nhXgIgoQ7/IUcGQXF5Xgjg4sp1
YH4BFNOGNwl5VqwmazxtIGz5Bxzp3MJMV21T4MDBqX9DJcT9Oq+73fCCHzJh4tyNRrBI2ty9lvUB
n4dMv86jYDPK1BJmI9dy0/NM0ryA2ShHPmnxxNPd5i0s6g41L5M72garF5/RYEViEmTryAaI2yre
0Ps4EVmGH03FLEzTFvLDJL3FeL5gGQIDAQABo2IwYDAOBgNVHQ8BAf8EBAMCA/gwEQYJYIZIAYb4
QgEBBAQDAgWgMC0GA1UdEQQmMCSBImRvcm5zZWlmQGluZm9ybWF0aWsucnd0aC1hYWNoZW4uZGUw
DAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQCJCkQHOMXRjNdwnsWFWz8553dpExvcZ6Ff
tPAoXMkArHRvenUCNY+1e9hAed7mcHs4EP9Y04V52b9tJ/NaTR6tQUS8PzO2P/Aw3hjKwh/3CdKO
FwG15KEcZW3KG0jy4Tlp8re0wcxXBxKygq0k7TRqx338MwEVPCisWB+NHumcUDCCAz8wggKooAMC
AQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh
cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNV
BAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJz
b25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3Rl
LmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYD
VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29u
YWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV
+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqq
P3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEE
QB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSG
Mmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1Ud
DwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZI
hvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNw
PP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTl
EBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggLnMIIC4wIBATBpMGIxCzAJBgNVBAYTAlpBMSUw
IwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy
c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDOJtMAkGBSsOAwIaBQCgggFTMBgGCSqGSIb3DQEJ
AzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA1MDIxNDIxMTg1M1owIwYJKoZIhvcNAQkE
MRYEFMhbtB3YdAkUNQMuAcEcXPrvAWZlMHgGCSsGAQQBgjcQBDFrMGkwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMM4m0wegYLKoZIhvcNAQkQAgsxa6BpMGIxCzAJ
BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQD
EyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDOJtMA0GCSqGSIb3DQEBAQUA
BIIBAI/B3khWgoCfM9F5peNKRlNzz1V73Ta4BCd5UESCxrmietCZ1vnO823pPUue8s92thqSrbdk
ANlJjPu8C79IGSEFGy4Dx10+8s9FNsbGdRzVIXVnLdNnzxf9ekICQbU6cu0H0JGKzH/DT/sDian7
mw9A0FAg294B7fSaR1Z6Wy0ZorxPE1QY2+mBhcVsLOu1AGYpzLCSLWkDQt6IJ25rKMgt2OxAv/gR
yYVHR2bxc06QCsc4vns1FLe66b3/s0v/GC0PH0/rWzfxXvM0hZso2Mfaod6qqgnk6oHA4T/FcBJ/
etlQIhRpg2ssr9XIWxbQdZ10sMSpJ78TH41PLw8Dr8sAAAAAAAA=

--Apple-Mail-26--887768831--

    

- 漏洞信息

13782
CitrusDB Static id_hash Admin Authentication Bypass

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-02-13 Unknow
2005-02-13 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

CitrusDB Remote Authentication Bypass Vulnerability
Design Error 12560
Yes No
2005-02-15 12:00:00 2009-07-12 10:06:00
Discovery of this vulnerability is credited to RedTeam.

- 受影响的程序版本

CitrusDB Customer Database 0.3.6

- 漏洞讨论

CitrusDB is reportedly affected by an authentication bypass vulnerability. This issue is due to the application using a static value during the creation of user cookie information.

An attacker could exploit this vulnerability to log in as any existing user, including the 'admin' account.

This issue is reported to affect CitrusDB 0.3.6; earlier versions may also be affected.

- 漏洞利用

No exploit is required.

The following proof of concept is available for demonstrating cookie information sufficient to log in as 'admin':
curl -D - --cookie "id_hash=4b3b2c8666298ae9771e9b3d38c3f26e;
user_name=admin" http://www.example.com/citrusdb/tools/index.php

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站