Please login or register.

Login with username, password and session length
Advanced search  

Author Topic: Imaginary Security Risk : Bulk users function open to public access ?  (Read 4260 times)

codetwist

  • Hero Member
  • *****
  • Karma: 50
  • Posts: 940

This is scary fairy tale for last day of 2007; so, enjoy.

Recently I finally looked into snewsMU.php code as such; granted only for couple of hours. Still, it was entertaining ... or may be not so, depending of point of view.

So, the long story short - I see no reasons why this should not work:
(1) Post form with $_POST['bulkusers'] to any of snewsMU sites out there without even circumventing anything and thus just creating user with whatever access level and rights are wanted.
(2) Login in with newly created power user/site owner and do whatever it is self proclaimed site owners use to do.

Code to pay attention is this at center():
Code: [Select]
switch(true) {

/* snipped out */

## MULTI_USER
case isset($_POST['getpass']): getpass(); return; break;
case isset($_POST['regform']): register(); return; break;
case isset($_POST['bulkusers']): bulk_users(); return; break;
## END MULTI_USER

/* snipped out */

}

and this at bulk_users():
Code: [Select]
function bulk_users(){
if (!isset($_POST['bulkusers'])) {

/* snipped out */

}else{

/* snipped out */

$sql = mysql_query("INSERT INTO ".db('prefix')."users (username, username_real, password, email, website, level, ipaddy, first_login, edit_comments, permit_upload, site_owner) VALUES ('$md5_name', '$name', '$md5_pass', '$mail', '$url', '$level', '$ip', 'YES', '$edit_comments', '$permit_upload', '$site_owner')");

/* snipped out */

}
}

All values for INSERT statement at bulk_users() are submitted through plain POST request except setting for that of it being the first time login for newly created user. However; this function sports exactly no checks if function itself is being operated by legitime user session at all.

Enjoy checking and patching if story fails at fairy part, 2008 is coming fast ;)

P.S. As I said - looked into code only casually as don't use it myself; so, this might be just careless mistake and FUD on my part. Your call, dudes; because, if this is not a mistake on my part, then it's might be not entertaining at all for all those snews MU sites out there.
« Last Edit: December 30, 2007, 11:08:04 pm by codetwist »
Logged

codetwist

  • Hero Member
  • *****
  • Karma: 50
  • Posts: 940
Re: Imaginary Security Risk : Bulk users function open to public access ?
« Reply #1 on: December 31, 2007, 02:40:40 pm »

Use following quick fix for bulk_users() if need protection against described problem.

Add one line between // Quick fix and // End of Quick fix at the beginning of bulk_users():
Code: [Select]
function bulk_users(){
// Quick fix
if ($_SESSION[db('website').'Logged_In'] == token() && get_identity($_SESSION['id'], 'level') == '1') {
// End of Quick fix
if (!isset($_POST['bulkusers'])) {

and add extra '}' at the end of bulk_users():
Code: [Select]
echo '<p><a href="'.db('website').'bulk_users/" title="'.l('back').'">'.l('back').'</a></p>';
}
}
// Quick fix
}
// End of Quick fix
}
Logged

Ken Dahlin

  • Full Member
  • ***
  • Karma: 30
  • Posts: 139
    • http://www.kendahlin.com/
Re: Imaginary Security Risk : Bulk users function open to public access ?
« Reply #2 on: December 31, 2007, 07:41:31 pm »

Thank you for this.
Logged

Ken Dahlin

  • Full Member
  • ***
  • Karma: 30
  • Posts: 139
    • http://www.kendahlin.com/
Re: Imaginary Security Risk : Bulk users function open to public access ?
« Reply #3 on: January 01, 2008, 03:55:11 am »

Confirmed. I created an admin account on an unpatched install of sNewsMU. After patching my install as codetwist recommends, I can confirm that the bug is fixed. The archive for download should be patched immediately.
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Re: Imaginary Security Risk : Bulk users function open to public access ?
« Reply #4 on: January 01, 2008, 09:12:09 pm »

Note to all MEMU Users:
The sNews 16 MEMU Package has been updated with Codetwist's patch. Thanks Codie.  :)
« Last Edit: January 02, 2008, 03:03:53 pm by Keyrocks »
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

brauck

  • Hero Member
  • *****
  • Karma: 18
  • Posts: 556
    • http://www.hbw-webdesign.nl/
Re: Imaginary Security Risk : Bulk users function open to public access ?
« Reply #5 on: January 02, 2008, 12:31:51 pm »

Key,

Small correction.

Link to the MEMU package is this

Thanks for the fast update  ;)
Logged
Confidence is reduced complexity.
brauck.nl for free css templates

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Re: Imaginary Security Risk : Bulk users function open to public access ?
« Reply #6 on: January 02, 2008, 03:05:43 pm »

Key,
Small correction. Link to the MEMU package is this
Thanks for the fast update  ;)
Thanks B... fixed the link above.  :P
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

codetwist

  • Hero Member
  • *****
  • Karma: 50
  • Posts: 940
Re: Imaginary Security Risk : Bulk users function open to public access ?
« Reply #7 on: January 02, 2008, 05:25:05 pm »

Thanks for taking seriously ;)

Special thanks to Ken for practical testing - it always kind of 'beats' imaginary things ;D
Logged

Joost

  • Guest
Re: Imaginary Security Risk : Bulk users function open to public access ?
« Reply #8 on: January 02, 2008, 05:42:04 pm »

Thanks for taking seriously ;)

I can understand you had some doubts, mainly because of a rather slow response time. However, it was taken seriously from the start.
Logged