logo

Web

   Webdesign
   Webhosting
   Referenzen
   Kontakt

Security

   Aktuelle Meldungen
   Advisories
   Firewall
   Emailgateway

Consulting

   Beratung

Hinweise
   Aktuelle Meldungen    Advisories    Firewall    Emailgateway

ppp-design found the following design error in phpsquidpass:


Details

Product: phpsquidpass
Affected Version: 0.11 and maybe all versions before
Immune Version: 0.2
OS affected: all OS with php
Vendor-URL: http://sourceforge.net/projects/phpsquidpass
Vendor-Status: informed, new version avaialable
Security-Risk: low
Remote-Exploit: Yes


Introduction

phpsquidpass is a php frontend for squid users to change their passwords. Unfortunately the software suffers of an design error which can lead to overwriting existing users.


More details

The problem is the wrong use of the php function ereg. While searching for the username the regular expression used is "$username:". This leads to finding all usernames that ends in $username.


Proof-of-concept

$ cat /etc/squid/conf/proxy_users
otheruser:abcabcabcabc
user:u2rsop.rgGdMQ

Password for otheruser is unknown, password for user is "pppdesign".

Now use phpsquidpass: Log in with username "user", old password "pppdesign", new password "anything".

$ cat /etc/squid/conf/proxy_users
user:qOeMIgXWkhxD.
user:S6UsDZDEwc1aY

The username "otheruser" is replaced with "user", the password is "anything" for both lines. This will work everytime the short username is tail of the long one and the long one is placed before the shorter username.


Temporary-fix

Replace the regular expressions:

54c54
< if (!ereg("$username:.",$password_file)) {
> if (!ereg("(^$username:.|\n$username:.)",$password_file)) {
63c63
< if (ereg("$username:.",$line)) {
> if (ereg("(^$username:.|\n$username:.)",$line)) {
115c115
< if (ereg("$username:.",$password_file[$x])) {
> if (ereg("^($username:.)",$password_file[$x])) {



Fix

Use at least phpsquidpass v0.2, which fixes the bug nearly the same way the temporary fix does.


Security-Risk

Only valid users can make use of this bug and it is quite easy to see who has overwritten an other user because his username is appearing twice in the password file. This is why we rate the risk of this bug to low.


Vendor status

The author reacted very fast within 6 hours and published a new version, that fixes the vulnerability.


Disclaimer

All information that can be found in this advisory is believed to be true, but maybe it isn't. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) is mentioned.