Date: Fri, 26 Jan 2001 14:30:25 -0500 From: "Forrest J. Cavalier III" <mibsoft@MIBSOFTWARE.COM> Subject: NewsDaemon remote administrator access To: BUGTRAQ@SECURITYFOCUS.COM SUMMARY ------- In all versions of NewsDaemon prior to 0.21b (released 25 Jan 2001), it is possible to spoof a global variable in an HTTP request and obtain administrator access remotely. NewsDaemon is the PHP-based Web Log software that runs http://daily.daemonnews.org/ a popular news and discussion site for the BSD communities. The NewsDaemon software is freely available at http://sourceforge.net/projects/newsdaemon/ PHP is a freely available server-side scripting language from http://www.php.net/ COMMON PHP VULNERABILITY ------------------------ It is common practice to configure PHP with register_globals set on. Depending on the setting of gpc_order, this makes all GET, POST, ENV, and COOKIE values available as global variables. This behavior can be quite useful, but requires care to ensure that all global variables are assigned from trusted input and aren't "spoofed" by GET or POST values. When a global value can be spoofed, it can often be used to change the operation of the script and or SQL queries which do not properly escape single quotes. SPECIFIC VULNERABILITY ---------------------- In the case of NewsDaemon, the global variable $user_username is used to check the administrator level using a mysql query (edited for clarity.) SELECT admin_level FROM access, users WHERE users.username = '$user_username' AND users.id=access.user_id It was possible to spoof $user_username with single quotes embedded, changing the operation of the SQL statement: SELECT admin_level FROM access, users WHERE users.username = '' OR admin_level=2 OR username ='x' AND users.id=access.user_id"; This gains administrator privileges, allowing viewing of the user list, assigning privileges, approving stories, etc. SOLUTION #1 ----------- NewsDaemon 0.21b is released with changes to allow operation with PHP register_globals set to Off. In PHP 4 (and in PHP3 when track_vars is on) all GET and POST values are now obtained from associative arrays. More information on PHP configuration is at: http://www.php.net/manual/en/configuration.php ALTERNATIVE SOLUTION -------------------- If you are unable to set register_globals off, (or are running PHP3) you must make changes to NewsDaemon (even the 0.21b release) to ensure that $user_username is not spoofed. Simply assigning $user_username = '' at the top of user_info.php3 will ensure this. ALTERNATIVE SOLUTION #2 ----------------------- Properly quoting all values into the MySQL query would prevent modifying the operation of the SQL statement. There are variations in quoting for different SQL database managers. A PHP quoting functions suitable for quoting in ODBC or MySQL, can be found in librock_db.php3, located at: http://www.mibsoftware.com/librock/data/database/ The function name is librock_db_Quote() DEVELOPER COORDINATION ---------------------- The problem was discovered by a source code inspection by Forrest J. Cavalier III, and the developers and DaemonNews editors were notified on January 23, 2001. Fixes to NewsDaemon were developed and tested by them, and released on January 25, 2001. -- Forrest J. Cavalier III, Mib Software Voice 570-992-8824 http://www.rocketaware.com/ has over 30,000 links to source, libraries, functions, applications, and documentation.