SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Adobe Dreamweaver Vendors:   Macromedia
Macromedia Dreamweaver PHP Users Authentication Extensions Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1007399
SecurityTracker URL:  http://securitytracker.com/id/1007399
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 4 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): MX 6.0
Description:   Lorenzo Hernandez Garcia-Hierro reported several vulnerabilities in Macromedia's Dreamweaver PHP User Authentication extensions. A remote user can conduct cross-site scripting attacks against servers that implement these functions.

It is reported that the PHP User Authentication extensions (available in the DevNet Resource Kit) contain an input validation flaw in the "Log In User" function in the "Access Denied" variable. The software reportedly does not filter user-supplied HTML code from the error message that is returned when a user attempts to access a restricted page without having logged in.

A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Dreamweaver-created PHP software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is of the form:

http://[TARGET]/[PATH]/[LOGIN PAGE].php?[ACCESS DENIED VARIABLE]="><script>alert('.::\/\|NSRG-18-7|/\/::.');</script>

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHP software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.macromedia.com/software/drk/productinfo/product_overview/volume2/dw_extensions.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Apple (Legacy "classic" Mac), UNIX (macOS/OS X), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 20 2003 (Macromedia Issues Fix) Macromedia Dreamweaver PHP Users Authentication Extensions Permit Cross-Site Scripting Attacks
Macromedia has released a fix.



 Source Message Contents

Subject:  Macromedia DW MX PHP Authentication Suit Vulnerabilities


Macromedia DW MX PHP Authentication Suit Vulnerabilities
-------------------
Product: PHP Authentication Suit for DreamWeaver
Vendor: Macromedia
Versions:
VULNERABLE

- DreamWeaver MX 6.0
- All the PHP Auth systems created with this
- Variables : ALL LIKE accessdenied

NOT VULNERABLE

- ?
---------------------

Description:

The PHP User Authentication Suite consists of four server behaviors for
restricting access to websites for the Dreamweaver MX PHP server model.
The four server behaviors are:
- Log In User
- Restrict Access to Page
- Log Out User
- Check New Username

-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------

I encountered a XSS ( Cross Site Scripting ) vulnerability in the LOGIN
system that allows you to include script code
in the result page / login form.

---------------------
| XSS IN            |
|      LOGIN FORMS  |
---------------------

The XSS is in the variable of the access denied to url ( url encoded ) :

http://[TARGET]/[PATH]/[LOGIN PAGE].php?[ACCESS DENIED VARIABLE]=%2F
[DIR1]%2F[DIR2]%2F[DIR3]%2F[FORBIDDEN PAGE]

This occurs when you attempt to access to a page of the website that
requires a valid authentication tokens.

The page redirects you to the [LOGIN PAGE] and it includes an special
variable in query , [ACCESS DENIED VARIABLE]= with
the denied page url that was accessed ( from the root directory ,
e.x. /dir1/dir2/dir3/secret.php ) encoded with url strings.

The XSS attack occurs when you write script code in the variable by
closing the form tags:

http://[TARGET]/[PATH]/[LOGIN PAGE].php?[ACCESS DENIED VARIABLE]
="><script>alert('.::\/\|NSRG-18-7|/\/::.');</script>


Examples:

http://www.victim.foo/secrets/login.php?accessdenied=%2Fsecrets%
2Findex.php <- ( /secrets/index.php )

http://www3.bigbank.biz/admin/ccarddb/admin.php?accessdenied=%2Fadmin%
2Fccarddb%2Fexport.database.content.php <-
( /admin/ccarddb/export.database.content.php )

http://www.sco.fm/is/a/big/*h*t.php?notalinuxerror=%2Flinuxsourcecode%
2Fcopytosco.php <- ( /linuxsourcecode/copytosco.php )

- Proof of Concepts: -

Access to a forbidden page , get an url like this:

http://TESTING.FOO/SECRETS/LOGIN1.php?[ACCESS DENIED VARIABLE]=%
2Fsecrets%2Fbankaccounts.php

And modify the variable like this:

http://TESTING.FOO/SECRETS/LOGIN1.php?ACCESSDENIED="><iframe src="ANTI-
TESTING.FOO"></iframe>

-----------
| CODES   |
-----------

The LOGIN Page code:

<?php require_once('[SQL CONNECTION]'); ?>
<?php
// *** Logout the current user.
$FF_Logout = $HTTP_SERVER_VARS['PHP_SELF'] . "?FF_Logoutnow=1";
if (isset($HTTP_GET_VARS['FF_Logoutnow']) && $HTTP_GET_VARS
['FF_Logoutnow']=="1") {
   session_start();
   session_unregister("MM_Username");
   session_unregister("MM_UserAuthorization");
   $FF_logoutRedirectPage = "[LOGIN PAGE]";
   // redirect with URL parameters (remove the "FF_Logoutnow" query
param).
   if ($FF_logoutRedirectPage == "") $FF_logoutRedirectPage =
$HTTP_SERVER_VARS['PHP_SELF'];
   if (!strpos($FF_logoutRedirectPage, "?") && $HTTP_SERVER_VARS
['QUERY_STRING'] != "") {
     $FF_newQS = "?";
     reset ($HTTP_GET_VARS);
     while (list ($key, $val) = each ($HTTP_GET_VARS)) {
       if($key != "FF_Logoutnow"){
         if (strlen($FF_newQS) > 1) $FF_newQS .= "&";
         $FF_newQS .= $key . "=" . urlencode($val);
       }
     }
     if (strlen($FF_newQS) > 1) $FF_logoutRedirectPage .= $FF_newQS;
   }
   header("Location: $FF_logoutRedirectPage");
   exit;
}

// *** Start the session
session_start();
// *** Validate request to log in to this site.
$FF_LoginAction = $HTTP_SERVER_VARS['PHP_SELF'];
if (isset($HTTP_SERVER_VARS['QUERY_STRING']) && $HTTP_SERVER_VARS
['QUERY_STRING']!="") $FF_LoginAction .= "?".$HTTP_SERVER_VARS
['QUERY_STRING'];
if (isset($HTTP_POST_VARS['username'])) {
   $FF_valUsername=$HTTP_POST_VARS['username'];
   $FF_valPassword=$HTTP_POST_VARS['password'];
   $FF_fldUserAuthorization="UID";
   $FF_redirectLoginSuccess="access_granted.php";
   $FF_redirectLoginFailed="access_denied.php";
   $FF_rsUser_Source="SELECT USERNAME, PASSWD ";
   if ($FF_fldUserAuthorization != "") $FF_rsUser_Source .= "," .
$FF_fldUserAuthorization;
   $FF_rsUser_Source .= " FROM [TABLE] WHERE USERNAME='" .
$FF_valUsername . "' AND PASSWD='" . $FF_valPassword . "'";
   mysql_select_db($database_unp43s, $unp43s);
   $FF_rsUser=mysql_query($FF_rsUser_Source, $unp43s) or die(mysql_error
());
   $row_FF_rsUser = mysql_fetch_assoc($FF_rsUser);
   if(mysql_num_rows($FF_rsUser) > 0) {
     // username and password match - this is a valid user
     $MM_Username=$FF_valUsername;
     session_register("MM_Username");
     if ($FF_fldUserAuthorization != "") {
       $MM_UserAuthorization=$row_FF_rsUser[$FF_fldUserAuthorization];
     } else {
       $MM_UserAuthorization="";
     }
************************************************************************
*****\THIS PART INCLUDES THE AFFECTED VARIABLES
  session_register("MM_UserAuthorization");
     if (isset($accessdenied) && false) {
       $FF_redirectLoginSuccess = $accessdenied;
     }
     mysql_free_result($FF_rsUser);
     session_register("FF_login_failed");
	$FF_login_failed = false;
     header ("Location: $FF_redirectLoginSuccess");
     exit;
   }
   mysql_free_result($FF_rsUser);
   session_register("FF_login_failed");
   $FF_login_failed = true;
   header ("Location: $FF_redirectLoginFailed");
   exit;
}

?>

\\\\\\\\\\\\\\\\\\\\\\\\\\/::.- Access Restriction system with the XSS

<?php
// *** Restrict Access To Page: Grant or deny access to this page
$FF_authorizedUsers=" xXx";
$FF_authFailedURL="[LOGIN PAGE]";
$FF_grantAccess=0;
session_start();
if (isset($HTTP_SESSION_VARS["MM_Username"])) {
   if (true || !(isset($HTTP_SESSION_VARS["MM_UserAuthorization"])) ||
$HTTP_SESSION_VARS["MM_UserAuthorization"]=="" || strpos
($FF_authorizedUsers, $HTTP_SESSION_VARS["MM_UserAuthorization"])) {
     $FF_grantAccess = 1;
   }
}
if (!$FF_grantAccess) {
   $FF_qsChar = "?";
   if (strpos($FF_authFailedURL, "?")) $FF_qsChar = "&";
   $FF_referrer = $HTTP_SERVER_VARS['PHP_SELF'];
   if (isset($HTTP_SERVER_VARS['QUERY_STRING']) && strlen
($HTTP_SERVER_VARS['QUERY_STRING']) > 0) $FF_referrer .= "?" .
$HTTP_SERVER_VARS['QUERY_STRING'];
  -----------------------------------------------------------------------
--->
////////////////////////////////////////////////////////////////////////
////////////////////////////\
   $FF_authFailedURL = $FF_authFailedURL .
$FF_qsChar . "accessdenied=" . urlencode($FF_referrer);//\ \
////////////////////////////////////////////////////////////////////////
//////////////////////////\ \ \
________________________________________________________________________
________________________________
   header("Location: $FF_authFailedURL");
   exit;
}
?>
\\\\\\\\\\\\\\\\\\\\\\ now the affected code at access restriction
system

-----------
|solution:|
-----------

Replace :

  -----------------------------------------------------------------------
--->
////////////////////////////////////////////////////////////////////////
////////////////////////////\
   $FF_authFailedURL = $FF_authFailedURL .
$FF_qsChar . "accessdenied=" . urlencode($FF_referrer);//\ \
////////////////////////////////////////////////////////////////////////
//////////////////////////\ \ \
________________________________________________________________________
________________________________

with:

  -----------------------------------------------------------------------
--->
////////////////////////////////////////////////////////////////////////
////////////////////////////\
   $FF_authFailedURL = $FF_authFailedURL .
$FF_qsChar . "accessdenied=Your attempt was recorded";//\ \
////////////////////////////////////////////////////////////////////////
//////////////////////////\ \ \
________________________________________________________________________
________________________________

-----------
| CONTACT |
-----------

Lorenzo Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com
security.novappc.com
www.lorenzohgh.com
______________________


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC