sNews Forum

sNews 1.6 (previous version) => sNewsMU (sNews Multi User version) => MU issues/bugs => Topic started by: codetwist on December 30, 2007, 11:05:08 pm

Title: Imaginary Security Risk : Bulk users function open to public access ?
Post by: codetwist on December 30, 2007, 11:05:08 pm
This is scary fairy tale for last day of 2007; so, enjoy.

Recently I finally looked into snewsMU.php code as such; granted only for couple of hours. Still, it was entertaining ... or may be not so, depending of point of view.

So, the long story short - I see no reasons why this should not work:
(1) Post form with $_POST['bulkusers'] to any of snewsMU sites out there without even circumventing anything and thus just creating user with whatever access level and rights are wanted.
(2) Login in with newly created power user/site owner and do whatever it is self proclaimed site owners use to do.

Code to pay attention is this at center():
Code: [Select]
switch(true) {

/* snipped out */

## MULTI_USER
case isset($_POST['getpass']): getpass(); return; break;
case isset($_POST['regform']): register(); return; break;
case isset($_POST['bulkusers']): bulk_users(); return; break;
## END MULTI_USER

/* snipped out */

}

and this at bulk_users():
Code: [Select]
function bulk_users(){
if (!isset($_POST['bulkusers'])) {

/* snipped out */

}else{

/* snipped out */

$sql = mysql_query("INSERT INTO ".db('prefix')."users (username, username_real, password, email, website, level, ipaddy, first_login, edit_comments, permit_upload, site_owner) VALUES ('$md5_name', '$name', '$md5_pass', '$mail', '$url', '$level', '$ip', 'YES', '$edit_comments', '$permit_upload', '$site_owner')");

/* snipped out */

}
}

All values for INSERT statement at bulk_users() are submitted through plain POST request except setting for that of it being the first time login for newly created user. However; this function sports exactly no checks if function itself is being operated by legitime user session at all.

Enjoy checking and patching if story fails at fairy part, 2008 is coming fast ;)

P.S. As I said - looked into code only casually as don't use it myself; so, this might be just careless mistake and FUD on my part. Your call, dudes; because, if this is not a mistake on my part, then it's might be not entertaining at all for all those snews MU sites out there.
Title: Re: Imaginary Security Risk : Bulk users function open to public access ?
Post by: codetwist on December 31, 2007, 02:40:40 pm
Use following quick fix for bulk_users() if need protection against described problem.

Add one line between // Quick fix and // End of Quick fix at the beginning of bulk_users():
Code: [Select]
function bulk_users(){
// Quick fix
if ($_SESSION[db('website').'Logged_In'] == token() && get_identity($_SESSION['id'], 'level') == '1') {
// End of Quick fix
if (!isset($_POST['bulkusers'])) {

and add extra '}' at the end of bulk_users():
Code: [Select]
echo '<p><a href="'.db('website').'bulk_users/" title="'.l('back').'">'.l('back').'</a></p>';
}
}
// Quick fix
}
// End of Quick fix
}
Title: Re: Imaginary Security Risk : Bulk users function open to public access ?
Post by: Ken Dahlin on December 31, 2007, 07:41:31 pm
Thank you for this.
Title: Re: Imaginary Security Risk : Bulk users function open to public access ?
Post by: Ken Dahlin on January 01, 2008, 03:55:11 am
Confirmed. I created an admin account on an unpatched install of sNewsMU. After patching my install as codetwist recommends, I can confirm that the bug is fixed. The archive for download should be patched immediately.
Title: Re: Imaginary Security Risk : Bulk users function open to public access ?
Post by: Keyrocks on January 01, 2008, 09:12:09 pm
Note to all MEMU Users:
The sNews 16 MEMU Package (http://snewscms.com/forum/index.php?topic=5847.msg38076#msg38076) has been updated with Codetwist's patch. Thanks Codie.  :)
Title: Re: Imaginary Security Risk : Bulk users function open to public access ?
Post by: brauck on January 02, 2008, 12:31:51 pm
Key,

Small correction.

Link to the MEMU package is this (http://snewscms.com/forum/index.php?topic=5847.msg38076#msg38076)

Thanks for the fast update  ;)
Title: Re: Imaginary Security Risk : Bulk users function open to public access ?
Post by: Keyrocks on January 02, 2008, 03:05:43 pm
Key,
Small correction. Link to the MEMU package is this (http://snewscms.com/forum/index.php?topic=5847.msg38076#msg38076)
Thanks for the fast update  ;)
Thanks B... fixed the link above.  :P
Title: Re: Imaginary Security Risk : Bulk users function open to public access ?
Post by: codetwist on January 02, 2008, 05:25:05 pm
Thanks for taking seriously ;)

Special thanks to Ken for practical testing - it always kind of 'beats' imaginary things ;D
Title: Re: Imaginary Security Risk : Bulk users function open to public access ?
Post by: Joost on January 02, 2008, 05:42:04 pm
Thanks for taking seriously ;)

I can understand you had some doubts, mainly because of a rather slow response time. However, it was taken seriously from the start.