New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Critical Security Vulnerability: Admin authentication bypass (if path & mail domain known) #1763

Closed
abrookbanks opened this Issue Oct 16, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@abrookbanks
Member

abrookbanks commented Oct 16, 2017

This vulnerability has been found by Robin Peraglie from RIPS Technologies.

An unauthenticated user can bypass the authentication bypass entirely by exploiting a logical code flaw origining in the underlying database class. The flaw is exploitable by abusing the "Reset-Password" functionality with a specially crafted "Golden" validation token which will cause the underlying logic to accept the token always as "valid".

Requirements:

  1. To hack the administrator the URL of the Admin Login (i.e. /admin_ABCXYZ.php ) must be known to the attacker.
  2. The mailhost-domain of the victim needs to be known.
    The flaw is that userinput has too much control over the SQL-payload which will be sent to the database. The "where(...)" function of the database.class.php will cause any user-inputted which is prepended by a tilde character(~) to be evaluated as a "column LIKE '%%'"-sequence instead of a traditionally "column=''"-sequence. This is consistent for any user-input landing in the where-clause of a SELECT query. This allows an attacker to bypass the condition that a token has to be valid to reset the new password with the "Golden" verification token. The issue may be exploitable in multiple which locations potentially leading to a more severe impact somewhere else.

An attacker can effectively enumerate all user and administrators, set their password and steal their information (Confidentiality) or attack the underyling operating system of the web server when logged in as Administrator.

Proof of concept to remain undisclosed.

@abrookbanks abrookbanks self-assigned this Oct 16, 2017

abrookbanks added a commit that referenced this issue Oct 16, 2017

@abrookbanks abrookbanks changed the title from Details to follow... to Critical Security Vulnerability: Admin authentication bypass (if path & mail domain known) Oct 16, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment