INDEXU Web Portal Content Management System Allows Users to Obtain Administrator Access to the Management System
SecurityTracker Alert ID: 1001078|
SecurityTracker URL: http://securitytracker.com/id/1001078
(Links to External Site)
Date: Mar 13 2001
User access via network|
Vendor Confirmed: Yes |
Version(s): up to and including 2.0Beta|
UNDERSEC Security reports a vulnerability with INDEXU, a portal content management system based on PHP and MySQL. The security hole allows users to masquerade as an administrator.|
INDEXU uses a web front-end to manage the system and its databases. The administrator's code is located in the directory "/admin". When logging in as the administrator, a cookie is set on the administrator's browser:
host.where.indexu.is.installed TRUE / FALSE 1388494785 cookie_admin_authenticated 1
A user with access to the web port can manipulate their cookies to masquerade as a valid and authorized administrator.
The vendor was reportedly informed of this bug on 2001-03-02.
A user with access to the web port can manipulate their cookies to masquerade as a valid and authorized administrator.|
No vendor solution was available at the time of this entry.|
UNDERSEC recommends a workaround that uses .htaccess authentication to prevent users from accessing the adminitrator directory.
Vendor URL: indexu.com (Links to External Site)
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: INDEXU Authentication By-Pass|
UNDERSEC SECURITY ADVISORY 4th March 20001
VERSIONS: All versions prior to 2.0Beta (2.0Beta included)
CLASS: Authentication bypass
POSTED BY: Sp4rK <firstname.lastname@example.org>
INDEXU is a content management system software that aims to help a web
master to build a portal in just seconds. It is based in PHP code and
uses MySQL as its database. INDEXU uses a web frontend to manage every
** PROBLEM DESCRIPTION
INDEXU uses a web frontend to manage every database it uses. The admin
section is located in /admin. When you login there it asks for a user
name and password (defaults to admin/admin). Once you log in it sets a
cookie with the following format:
host.where.indexu.is.installed TRUE / FALSE 1388494785 cooki
This cookie will (or should be) deleted when the current session finis
hes, and is used to determine whether you are an admin or not
Anybody who can manipulate it's cookie settings is able to act as if
he/she was the admin.
Use .htaccess authentication to prevent users from accessing adminitra
INDEXU Team was informed of this bug on 2001-03-02.
" Hi, thanks for remindering me about this.
It's true, i add 'flag' when administrator logged in. But the flag
that recognize administrator will automatically deleted when he clo
se the browser or logout. But I think it's safer enough for non-eco
mmerce website. Anyway your suggestion is very good too. I'll add
more security when in final version.
The bug hasn't been fixed yet, but we hope it'll be fixed in the next
release of INDEXU.
UNDERSEC Security TEAM,
============== ===== === -- - -
UNDERSEC Security Team