![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Fri, 26 Jan 2001 14:30:25 -0500
From: "Forrest J. Cavalier III" <mibsoft@MIBSOFTWARE.COM>
Subject: NewsDaemon remote administrator access
To: BUGTRAQ@SECURITYFOCUS.COM
SUMMARY
-------
In all versions of NewsDaemon prior to 0.21b (released 25 Jan 2001),
it is possible to spoof a global variable in an HTTP request and
obtain administrator access remotely.
NewsDaemon is the PHP-based Web Log software that runs
http://daily.daemonnews.org/ a popular news and discussion
site for the BSD communities.
The NewsDaemon software is freely available at
http://sourceforge.net/projects/newsdaemon/
PHP is a freely available server-side scripting language
from http://www.php.net/
COMMON PHP VULNERABILITY
------------------------
It is common practice to configure PHP with register_globals
set on. Depending on the setting of gpc_order, this makes
all GET, POST, ENV, and COOKIE values available as global
variables.
This behavior can be quite useful, but requires care to
ensure that all global variables are assigned from trusted
input and aren't "spoofed" by GET or POST values.
When a global value can be spoofed, it can often be used
to change the operation of the script and or SQL queries
which do not properly escape single quotes.
SPECIFIC VULNERABILITY
----------------------
In the case of NewsDaemon, the global variable $user_username
is used to check the administrator level using a mysql
query (edited for clarity.)
SELECT admin_level FROM access, users WHERE
users.username = '$user_username' AND users.id=access.user_id
It was possible to spoof $user_username with single quotes
embedded, changing the operation of the SQL statement:
SELECT admin_level FROM access, users WHERE
users.username = ''
OR admin_level=2 OR username ='x' AND users.id=access.user_id";
This gains administrator privileges, allowing viewing of the
user list, assigning privileges, approving stories, etc.
SOLUTION #1
-----------
NewsDaemon 0.21b is released with changes to allow operation
with PHP register_globals set to Off. In PHP 4 (and in PHP3 when
track_vars is on) all GET and POST values are now obtained
from associative arrays.
More information on PHP configuration is at:
http://www.php.net/manual/en/configuration.php
ALTERNATIVE SOLUTION
--------------------
If you are unable to set register_globals off, (or are running PHP3)
you must make changes to NewsDaemon (even the 0.21b release)
to ensure that $user_username is not spoofed.
Simply assigning $user_username = '' at the top of user_info.php3
will ensure this.
ALTERNATIVE SOLUTION #2
-----------------------
Properly quoting all values into the MySQL query would prevent
modifying the operation of the SQL statement.
There are variations in quoting for different SQL database managers.
A PHP quoting functions suitable for quoting in ODBC or MySQL,
can be found in librock_db.php3, located at:
http://www.mibsoftware.com/librock/data/database/
The function name is librock_db_Quote()
DEVELOPER COORDINATION
----------------------
The problem was discovered by a source code inspection by
Forrest J. Cavalier III, and the developers and DaemonNews
editors were notified on January 23, 2001.
Fixes to NewsDaemon were developed and tested by them, and
released on January 25, 2001.
--
Forrest J. Cavalier III, Mib Software Voice 570-992-8824
http://www.rocketaware.com/ has over 30,000 links to
source, libraries, functions, applications, and documentation.