[EXPL] phpSlash Account Hijacking (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

phpSlash Account Hijacking (Exploit)
------------------------------------------------------------------------

SUMMARY

" <http://www.php-slash.org> phpSlash is a powerful CMS written in PHP
that provides easy and flexible means to publish community-based websites.
It currently boasts full HTML templates, an OO design, the ability to
operate in a hosted environment."

An input validation flaw discovered in phpSlash can be used to gain
elevated privileges by hijacking the administrator's account.

DETAILS

Vulnerable Systems:
* phpSlash versions 0.7.1, 0.7.2, and 0.8.X

There is an input validation flaw in Author.class::saveProfile which can
lead to gain root privileges by hijacking user account. In function
saveProfile, author_id value is retrieved from the wrong source : user
info in $ary is not compared to the author_id associated to the running
session ...

Vulnerable Code:
<?
/* Code extracted from Author.class */
function saveProfile($ary) {
global $HTTP_COOKIE_VARS;

// ( ... snip ... )

/**********************************
* This sql query is using data from an untrusted source ( $ary ) *
**********************************/

$this->db->query("SELECT author_id
FROM psl_author
WHERE author_id = '".$ary['author_id']."'");

/**********************************
* This condition is not relevant in that context, it is the current *
* author_id (from $this->auth) that should eventually be compared *
**********************************/

if ($this->db->next_record()) {
if ($ary['password'] == "") {
$q = "UPDATE psl_author
SET author_name = '$ary[author_name]',
author_realname = '$ary[author_realname]',
url = '$ary[url]',
email = '$ary[email]',
quote = '$ary[quote]',
author_options = '$serial_opts'
WHERE author_id = '$ary[author_id]'";
// use $this->auth->auth['uid'] instead of untrusted
$ary
} else {
$q = "UPDATE psl_author
SET author_name = '$ary[author_name]',
author_realname = '$ary[author_realname]',
url = '$ary[url]',
email = '$ary[email]',
quote = '$ary[quote]',
password = MD5('$ary[author_name]:$ary[password]'),
author_options = '$serial_opts'
WHERE author_id = '$ary[author_id]'";

/******************************/
// use $this->auth->auth['uid'] and
$this->auth->auth['uname']
// instead of untrusted $ary
/******************************/
}
}
// ( ... snip ... )
}
?>

A malicious registered user can forge a http request that will overwrite
preferences of other author(s) (including author real name, email address,
URL, and password). A malicious developer can easily code an automated
attack with the help of the self-registration capacity offered by phpSlash
and build CMS-based zombie network. In fact any registered user with
AuthorSaveProfile perm can overwrite other account's preferences.

Vulnerable site's recognition may vary depending on configuration and
version of the package, the ability to match them will depend principally
on version identification, this should be subject for a second bulletin
uncovering the more generic HTML fingerprinting problem found in the
common footer templates.

The point to focus on to identify if your version is vulnerable or not are
the default perms assigned to a self-registered user (AuthorProfileSave,
id 50).

Note:
Some upgrades (7 to 8) seem not to have this perm set, and therefore are
not vulnerable. Some versions with configuration value 'authmode' set to
'log' are less vulnerable to manual or automated attacks.

Fix:
Download the latest package (0.8.1) from the phpSlash project page :
<http://sourceforge.net/project/showfiles.php?group_id=10566>
http://sourceforge.net/project/showfiles.php?group_id=10566

ADDITIONAL INFORMATION

The information has been provided by <mailto:tobozo@madchat.org> tobozo.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.