Unauthorized Email Change
################################################## #############################
1. Unauthorized Email Change in "account-ce.php" ################################################## ############################# Reason: authorization bypass Attack vector: user submitted GET parameters "id", "secret" and "email" Preconditions: none Result: attacker can change any user's email, including admin's -----------------[ source code start ]--------------------------------- PHP Code:
Tests: Let's find md5 hash of email "test@test.com", which is "b642b4217b34b1e8d3bd915fc65c4452". Target user ID is 1. We issue GET request: http://localhost/torrenttrader208/account-ce.php?id=1& secret=b642b4217b34b1e8d3bd915fc65c4452&email=test@test.com Quick look to the database confirms, that email address of user with ID 1 has been changed indeed. Next logical move for attacker is password recovery request: http://localhost/torrenttrader208/account-recover.php After admin account takeover attacker is able to use next vulnerability, described below, which may allow php remote code execution. ################################################## ############################# |
what is that? Please explain in full detail
|
Reason: authorization bypass Attack vector: user submitted GET parameters "id", "secret" and "email" Preconditions: none Result: attacker can change any user's email, including admin's
Code:
$id = (int) $_GET["id"]; $md5 = $_GET["secret"]; $email = $_GET["email"]; .. $res = SQL_Query_exec("SELECT `editsecret` FROM `users` WHERE `enabled` = 'yes' AND `status` = 'confirmed' AND `id` = '$id'"); $row = mysql_fetch_assoc($res); .. $sec = $row["editsecret"]; if ($md5 != md5($sec . $email . $sec)) show_error_msg(T_("ERROR"), T_("NOTHING_FOUND"), 1); SQL_Query_exec("UPDATE `users` SET `editsecret` = '', `email` = ".sqlesc($email)." WHERE `id` = '$id' AND `editsecret` = " . sqlesc($row["editsecret"])); Tests: Let's find md5 hash of email "test@test.com", which is "b642b4217b34b1e8d3bd915fc65c4452". Target user ID is 1. We issue GET request: http://localhost/torrenttrader208/account-ce.php?id=1& secret=b642b4217b34b1e8d3bd915fc65c4452&email=test @test.com Quick look to the database confirms, that email address of user with ID 1 has been changed indeed. Next logical move for attacker is password recovery request: http://localhost/torrenttrader208/account-recover.php After admin account takeover attacker is able to use next vulnerability, described below, which may allow php remote code execution. |
This would be sql injection correct? I've been looking at adding something to improve this. So far it looks like pdo is the best or can you do it using composer.json.
Im new to this but could you point us in right direction to implement one of these. |
Just sanitize the variables in SQL query where necessary sqlesc() or mysqli_real_string_escape() if you have converted over to mysqli and I believe try to use trim() around:
PHP Code:
PHP Code:
|
All times are GMT +2. The time now is 10:53. |
Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2024, vBulletin Solutions Inc.