25th Feb 2003 [SBWID-6021]
COMMAND
	Mambo SiteServer exploit gains administrative privileges
SYSTEMS AFFECTED
	TESTED: Mambo 4.0.12 RC2
PROBLEM
	Thnaks to Simen Bergo advisory [[email protected]] :
	"Mambo SiteServer is the  finest  open  source  Web  Content  Management
	System  available  today."  (direct  quote  from  the  Mambo  SiteServer
	website)
	A vulnerability in /administrator/index2.php allows  any  user  to  gain
	administrator access as long as they know any sessionid in  the  session
	table the script uses. (The code  that  is  vulnerable  is  too  big  to
	include here)
	Actually, you would think just logging in as a normal user would  create
	this sessionid, however a bug in the PHP sourcecode of the project  make
	sure this does not happen.
	Anyone with a slight knowledge of PHP knows that when you set a  cookie,
	it is not updated until you refresh the webpage. Anyone but  the  coders
	of Mambo SiteServer, that is:
	
	setcookie("sessioncookie", "$sessionID");
	if ($HTTP_COOKIE_VARS["sessioncookie"]!="") {
	  $query="INSERT into ".$dbprefix."session set 
	session_id='$cryptSessionID', guest='', userid='$uid', 
	usertype='$usertype', gid='$gid', username='$username'";
	  $database->openConnectionNoReturn($query);
	}
	
	As we can see, Mambo SiteServer  checks  if  the  cookie  has  been  set
	before it inserts the sessionid into the table. As it has not  yet  been
	set, no sessionid is inserted and therefore we  cannot  "login"  to  the
	administrator directory either.
	Moving on in the sourcecode, to SessionCookie.php (which is called  when
	you logout), we can see  that  a  sessionid  is  inserted  whenever  you
	logout. Why? I have no idea.
	
	$current_time = time();
	if ($HTTP_COOKIE_VARS["sessioncookie"]==""){
	  $randnum=getSessionID1();
	  ...
	  $cryptrandnum=md5($randnum);
	  ...
	  setcookie("sessioncookie", "$randnum");
	  $guest=1;
	  $query="INSERT into ".$dbprefix."session SET username='', 
	time=$current_time, session_id='$cryptrandnum', guest=$guest";
	  $database->openConnectionNoReturn($query);
	}
	
	A cookie, looking something like the following will now be sent  to  the
	browser:
	
	sessioncookie=nh54OQIZb8ybaA2CNNdU1046102063
	
	All we have to do is MD5-encrypt it, since that is what was done to  the
	session that was inserted  to  the  MySQL-table.  In  this  example  the
	encrypted version is:
	
	0ebda5bbba49dc226b4ed8fc801f1d98
	
	By  accessing  /administrator/index2.php  with   this   session,   Mambo
	SiteServer will think that we are the administrator logged in:
	
	/administrator/index2.php?session_id=0ebda5bbba49dc226b4ed8fc801f1d98
	
	 PROOF OF CONCEPT
	 ��������������������������������������������������������������������������
	I have created an  exploit  that  will  gain  access  to  the  host  you
	specify. It can be found at the URL below, but  must  only  be  used  on
	your own website for testing purposes.
	
	http://www.voidnull.com/exploit/mamboexp.phps
	
SOLUTION
	None yet.
	 Workaround
	 ==========
	Until Mambo release a patch for this vulnerability I  suggest  password-
	protecting your /administrator directory with .htaccess.