COMMAND

    NewsDaemon

SYSTEMS AFFECTED

    NewsDaemon prior to 0.21b

PROBLEM

    Forrest  J.  Cavalier  III  found  following.   In all versions of
    NewsDaemon  prior  to  0.21b,  it  is  possible  to spoof a global
    variable  in  an  HTTP  request  and  obtain  administrator access
    remotely.

    NewsDaemon  is   the  PHP-based   Web  Log   software  that   runs
    http://daily.daemonnews.org/   a   popular  news  and   discussion
    site for the BSD communities.

    The NewsDaemon software is freely available at

        http://sourceforge.net/projects/newsdaemon/

    It is common practice  to configure PHP with  register_globals set
    on.  Depending  on the setting  of gpc_order, this  makes all GET,
    POST, ENV, and COOKIE values available as global variables.

    This behavior  can be  quite useful,  but requires  care to ensure
    that  all  global  variables  are  assigned from trusted input and
    aren't "spoofed" by GET or POST values.

    When a global value can be spoofed, it can often be used to change
    the  operation  of  the  script  and  or  SQL queries which do not
    properly escape single quotes.

    In the case of  NewsDaemon, the global variable  $user_username is
    used to check the administrator level using a mysql query  (edited
    for clarity).

        SELECT admin_level FROM access, users WHERE
               users.username = '$user_username' AND users.id=access.user_id

    It  was  possible  to  spoof  $user_username  with  single  quotes
    embedded, changing the operation of the SQL statement:

        SELECT admin_level FROM access, users WHERE
               users.username = ''
               OR admin_level=2 OR username ='x' AND users.id=access.user_id";

    This gains administrator privileges, allowing viewing of the  user
    list, assigning privileges, approving stories, etc.

    The problem was discovered by a source code inspection by  Forrest
    J. Cavalier III,  and the developers  and DaemonNews editors  were
    notified on January 23, 2001.  Fixes to NewsDaemon were  developed
    and tested by them, and released on January 25, 2001.

SOLUTION

    NewsDaemon 0.21b is released with changes to allow operation  with
    PHP register_globals  set to  Off.   In PHP  4 (and  in PHP3  when
    track_vars is on)  all GET and  POST values are  now obtained from
    associative arrays.  More information on PHP configuration is at:

        http://www.php.net/manual/en/configuration.php

    If you  are unable  to set  register_globals off,  (or are running
    PHP3)  you  must  make  changes  to  NewsDaemon  (even  the  0.21b
    release) to ensure that $user_username is not spoofed.

    Simply assigning $user_username = '' at the top of  user_info.php3
    will ensure this.

    Properly quoting  all values  into the  MySQL query  would prevent
    modifying  the  operation  of   the  SQL  statement.   There   are
    variations in quoting for different SQL database managers.

    A PHP  quoting functions  suitable for  quoting in  ODBC or MySQL,
    can be found in librock_db.php3, located at:

        http://www.mibsoftware.com/librock/data/database/

    The function name is librock_db_Quote()