Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Mambo SiteServer exploit gains administrative privileges

Mambo SiteServer exploit gains administrative privileges

by Nikola Strahija on February 24th, 2003 A vulnerability in /administrator/index2.php allows any user to gain administrator access as long as they know any sessionid in the session table the script uses.


Actually, you would think just logging in as a normal user would create
this sessionid, however a bug in the PHP sourcecode of the project make
sure this does not happen.

Anyone with a slight knowledge of PHP knows that when you set a cookie,
it is not updated until you refresh the webpage. Anyone but the coders
of Mambo SiteServer, that is:

setcookie("sessioncookie", "$sessionID");
if ($HTTP_COOKIE_VARS["sessioncookie"]!="") {
$query="INSERT into ".$dbprefix."session set
session_id='$cryptSessionID', guest='', userid='$uid',
usertype='$usertype', gid='$gid', username='$username'";
$database->openConnectionNoReturn($query);
}

As we can see, Mambo SiteServer checks if the cookie has been set before
it inserts the sessionid into the table. As it has not yet been set, no
sessionid is inserted and therefore we cannot "login" to the
administrator directory either.

Moving on in the sourcecode, to SessionCookie.php (which is called when
you logout), we can see that a sessionid is inserted whenever you logout.
Why? I have no idea.

$current_time = time();
if ($HTTP_COOKIE_VARS["sessioncookie"]==""){
$randnum=getSessionID1();
...
$cryptrandnum=md5($randnum);
...
setcookie("sessioncookie", "$randnum");
$guest=1;
$query="INSERT into ".$dbprefix."session SET username='',
time=$current_time, session_id='$cryptrandnum', guest=$guest";
$database->openConnectionNoReturn($query);
}

A cookie, looking something like the following will now be sent to the
browser:

sessioncookie=nh54OQIZb8ybaA2CNNdU1046102063

All we have to do is MD5-encrypt it, since that is what was done to the
session that was inserted to the MySQL-table. In this example the encrypted
version is:

0ebda5bbba49dc226b4ed8fc801f1d98

By accessing /administrator/index2.php with this session, Mambo SiteServer
will think that we are the administrator logged in:

/administrator/index2.php?session_id=0ebda5bbba49dc226b4ed8fc801f1d98


SUMMARY

Gaining administrative privileges gives you access to all MySQL-databases,
user passwords, news, polls and everything else the server has. Many
websites run Mambo SiteServer in addition to other scripts that requires
MySQL, and this is therefore a huge threat to many webmasters.


SOLUTIONS

Until Mambo release a patch for this vulnerability I suggest password-
protecting your /administrator directory with .htaccess.


VENDOR STATUS
The vendor has reportedly been notified. They are currently developing
a patch for this vulnerability.

EXPLOIT: http://www.voidnull.com/exploit/mamboexp.phps


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »