View Issue Details

IDProjectCategoryView StatusLast Update
0000164Main CAcert Websitesource codepublic2013-11-20 22:23
Reporteraanriot Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Fixed in Version2006 
Summary0000164: org eat org
DescriptionIt seems to be possible that org master accounts are able to delete arbitrary orgs by freely setting the session variable $_SESSION['_config']['memid'].


DESCRIPTION
===========

In includes/acccount.php in line 1826 there is the following if-section

 if($oldid == 34 && $_REQUEST['process'] != "")
 {
    mysql_query("delete from `org` where
                `memid`='".$_SESSION['_config']['memid']."'");
 }

As far as I can see it is possible for any org master account to set oldid==34 and process!="" to run this query.

There are two different ways to set $_SESSION['_config']['memid']:

1. call account.php?memid=12345 and use an invalid id/oldid. At the end of include/account.php the following statement will be executed without further checking:

        if(intval($memid) > 0)
                $_SESSION['_config']['memid'] = intval($memid);


2. Access disputes.php with oldid==2 and a random domain do dispute. Pass memid as a parameter and in line 336 it will be written to the session

        $_SESSION['_config']['memid'] = $memid;

It isn't even parsed!

SOLUTION
========

Once again we have a cross module setting of session variables, but this isn't even necessary to exploit it in this case. Before deleting from the database there should be a verification that the user has permission to remove that memid.
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

related to 0000129 closed org admin removal problem 
related to 0000146 closed Unparsed variable written to session variable 

Activities

duane

2006-08-16 10:20

developer   ~0000519

- if(($oldid == 34 || $id == 34) && $_SESSION['profile']['admin'] != 1)
+ if($id == 34 && $_SESSION['profile']['admin'] != 1)
        {
- $orgid = intval($orgid);
- $memid = intval($memid);
+ $orgid = intval($_REQUEST['orgid']);
+ $memid = intval($_REQUEST['memid']);
                $res = mysql_query("select * from `org` where `orgid`='$orgid' and `memid`='".$_SESSION['profile']['id']."'");
                $_macc2 = mysql_num_rows(mysql_query("select * from `org` where `memid`='$memid' and `masteracc`='1'"));
                if(mysql_num_rows($res) <= 0 || $_macc2 > 0)
                {
                        $id = 32;
                }
        }

        if($oldid == 34 && $_REQUEST['process'] != "")
        {
- mysql_query("delete from `org` where `memid`='".$_SESSION['_config']['memid']."'");
+ $orgid = intval($_REQUEST['orgid']);
+ $memid = intval($_REQUEST['memid']);
+ mysql_query("delete from `org` where `orgid`='$orgid' and memid`='".$_SESSION['_config']['memid']."'");

        }

duane

2006-08-16 10:36

developer   ~0000520

Actually more changes then this has been made to secure 33/34... Will update the tarball shortly with the changes...

Issue History

Date Modified Username Field Change
2006-03-06 11:34 bluec New Issue
2006-08-16 10:16 duane Status new => needs work
2006-08-16 10:16 duane Assigned To => bluec
2006-08-16 10:20 duane Status needs work => solved?
2006-08-16 10:20 duane Fixed in Version => production
2006-08-16 10:20 duane Resolution open => fixed
2006-08-16 10:20 duane Note Added: 0000519
2006-08-16 10:36 duane Note Added: 0000520
2006-08-16 13:44 duane Relationship added related to 0000146
2006-08-16 16:38 duane Relationship added related to 0000129
2007-10-24 05:03 evaldo Reporter bluec => aanriot
2007-10-24 05:03 evaldo Assigned To bluec =>
2007-10-24 05:03 evaldo Status solved? => closed
2013-01-14 01:28 Werner Dworak Fixed in Version => 2006
2013-11-20 22:23 NEOatNHNG View Status private => public