View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000164 | Main CAcert Website | source code | public | 2006-03-06 11:34 | 2013-11-20 22:23 |
Reporter | aanriot | Assigned To | |||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Fixed in Version | 2006 | ||||
Summary | 0000164: org eat org | ||||
Description | It seems to be possible that org master accounts are able to delete arbitrary orgs by freely setting the session variable $_SESSION['_config']['memid']. DESCRIPTION =========== In includes/acccount.php in line 1826 there is the following if-section if($oldid == 34 && $_REQUEST['process'] != "") { mysql_query("delete from `org` where `memid`='".$_SESSION['_config']['memid']."'"); } As far as I can see it is possible for any org master account to set oldid==34 and process!="" to run this query. There are two different ways to set $_SESSION['_config']['memid']: 1. call account.php?memid=12345 and use an invalid id/oldid. At the end of include/account.php the following statement will be executed without further checking: if(intval($memid) > 0) $_SESSION['_config']['memid'] = intval($memid); 2. Access disputes.php with oldid==2 and a random domain do dispute. Pass memid as a parameter and in line 336 it will be written to the session $_SESSION['_config']['memid'] = $memid; It isn't even parsed! SOLUTION ======== Once again we have a cross module setting of session variables, but this isn't even necessary to exploit it in this case. Before deleting from the database there should be a verification that the user has permission to remove that memid. | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
|
- if(($oldid == 34 || $id == 34) && $_SESSION['profile']['admin'] != 1) + if($id == 34 && $_SESSION['profile']['admin'] != 1) { - $orgid = intval($orgid); - $memid = intval($memid); + $orgid = intval($_REQUEST['orgid']); + $memid = intval($_REQUEST['memid']); $res = mysql_query("select * from `org` where `orgid`='$orgid' and `memid`='".$_SESSION['profile']['id']."'"); $_macc2 = mysql_num_rows(mysql_query("select * from `org` where `memid`='$memid' and `masteracc`='1'")); if(mysql_num_rows($res) <= 0 || $_macc2 > 0) { $id = 32; } } if($oldid == 34 && $_REQUEST['process'] != "") { - mysql_query("delete from `org` where `memid`='".$_SESSION['_config']['memid']."'"); + $orgid = intval($_REQUEST['orgid']); + $memid = intval($_REQUEST['memid']); + mysql_query("delete from `org` where `orgid`='$orgid' and memid`='".$_SESSION['_config']['memid']."'"); } |
|
Actually more changes then this has been made to secure 33/34... Will update the tarball shortly with the changes... |
Date Modified | Username | Field | Change |
---|---|---|---|
2006-03-06 11:34 |
|
New Issue | |
2006-08-16 10:16 | duane | Status | new => needs work |
2006-08-16 10:16 | duane | Assigned To | => bluec |
2006-08-16 10:20 | duane | Status | needs work => solved? |
2006-08-16 10:20 | duane | Fixed in Version | => production |
2006-08-16 10:20 | duane | Resolution | open => fixed |
2006-08-16 10:20 | duane | Note Added: 0000519 | |
2006-08-16 10:36 | duane | Note Added: 0000520 | |
2006-08-16 13:44 | duane | Relationship added | related to 0000146 |
2006-08-16 16:38 | duane | Relationship added | related to 0000129 |
2007-10-24 05:03 | evaldo | Reporter | bluec => aanriot |
2007-10-24 05:03 | evaldo | Assigned To | bluec => |
2007-10-24 05:03 | evaldo | Status | solved? => closed |
2013-01-14 01:28 | Werner Dworak | Fixed in Version | => 2006 |
2013-11-20 22:23 | NEOatNHNG | View Status | private => public |