-------------------
Product: PHP Authentication Suit for DreamWeaver
Vendor: Macromedia
Versions:
VULNERABLE

- DreamWeaver MX 6.0
- All the PHP Auth systems created with this
- Variables : ALL LIKE accessdenied

NOT VULNERABLE

- ?
---------------------

Description:

The PHP User Authentication Suite consists of four server behaviors for
restricting access to websites for the Dreamweaver MX PHP server model.
The four server behaviors are:
- Log In User
- Restrict Access to Page
- Log Out User
- Check New Username

-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------

I encountered a XSS ( Cross Site Scripting ) vulnerability in the LOGIN
system that allows you to include script code
in the result page / login form.

---------------------
| XSS IN |
| LOGIN FORMS |
---------------------

The XSS is in the variable of the access denied to url ( url encoded ) :

http://[TARGET]/[PATH]/[LOGIN PAGE].php?[ACCESS DENIED VARIABLE]=%2F
[DIR1]%2F[DIR2]%2F[DIR3]%2F[FORBIDDEN PAGE]

This occurs when you attempt to access to a page of the website that
requires a valid authentication tokens.

The page redirects you to the [LOGIN PAGE] and it includes an special
variable in query , [ACCESS DENIED VARIABLE]= with
the denied page url that was accessed ( from the root directory ,
e.x. /dir1/dir2/dir3/secret.php ) encoded with url strings.

The XSS attack occurs when you write script code in the variable by
closing the form tags:

http://[TARGET]/[PATH]/[LOGIN PAGE].php?[ACCESS DENIED VARIABLE]
="><script>alert('.::\/\|NSRG-18-7|/\/::.');</script>

Examples:

http://www.victim.foo/secrets/login.php?accessdenied=%2Fsecrets%
2Findex.php <- ( /secrets/index.php )

http://www3.bigbank.biz/admin/ccarddb/admin.php?accessdenied=%2Fadmin%
2Fccarddb%2Fexport.database.content.php <-
( /admin/ccarddb/export.database.content.php )

http://www.sco.fm/is/a/big/*h*t.php?notalinuxerror=%2Flinuxsourcecode%
2Fcopytosco.php <- ( /linuxsourcecode/copytosco.php )

- Proof of Concepts: -

Access to a forbidden page , get an url like this:

http://TESTING.FOO/SECRETS/LOGIN1.php?[ACCESS DENIED VARIABLE]=%
2Fsecrets%2Fbankaccounts.php

And modify the variable like this:

http://TESTING.FOO/SECRETS/LOGIN1.php?ACCESSDENIED="><iframe src="ANTI-
TESTING.FOO"></iframe>

-----------
| CODES |
-----------

The LOGIN Page code:

<?php require_once('[SQL CONNECTION]'); ?>
<?php
// *** Logout the current user.
$FF_Logout = $HTTP_SERVER_VARS['PHP_SELF'] . "?FF_Logoutnow=1";
if (isset($HTTP_GET_VARS['FF_Logoutnow']) && $HTTP_GET_VARS
['FF_Logoutnow']=="1") {
session_start();
session_unregister("MM_Username");
session_unregister("MM_UserAuthorization");
$FF_logoutRedirectPage = "[LOGIN PAGE]";
// redirect with URL parameters (remove the "FF_Logoutnow" query
param).
if ($FF_logoutRedirectPage == "") $FF_logoutRedirectPage =
$HTTP_SERVER_VARS['PHP_SELF'];
if (!strpos($FF_logoutRedirectPage, "?") && $HTTP_SERVER_VARS
['QUERY_STRING'] != "") {
$FF_newQS = "?";
reset ($HTTP_GET_VARS);
while (list ($key, $val) = each ($HTTP_GET_VARS)) {
if($key != "FF_Logoutnow"){
if (strlen($FF_newQS) > 1) $FF_newQS .= "&";
$FF_newQS .= $key . "=" . urlencode($val);
}
}
if (strlen($FF_newQS) > 1) $FF_logoutRedirectPage .= $FF_newQS;
}
header("Location: $FF_logoutRedirectPage");
exit;
}

// *** Start the session
session_start();
// *** Validate request to log in to this site.
$FF_LoginAction = $HTTP_SERVER_VARS['PHP_SELF'];
if (isset($HTTP_SERVER_VARS['QUERY_STRING']) && $HTTP_SERVER_VARS
['QUERY_STRING']!="") $FF_LoginAction .= "?".$HTTP_SERVER_VARS
['QUERY_STRING'];
if (isset($HTTP_POST_VARS['username'])) {
$FF_valUsername=$HTTP_POST_VARS['username'];
$FF_valPassword=$HTTP_POST_VARS['password'];
$FF_fldUserAuthorization="UID";
$FF_redirectLoginSuccess="access_granted.php";
$FF_redirectLoginFailed="access_denied.php";
$FF_rsUser_Source="SELECT USERNAME, PASSWD ";
if ($FF_fldUserAuthorization != "") $FF_rsUser_Source .= "," .
$FF_fldUserAuthorization;
$FF_rsUser_Source .= " FROM [TABLE] WHERE USERNAME='" .
$FF_valUsername . "' AND PASSWD='" . $FF_valPassword . "'";
mysql_select_db($database_unp43s, $unp43s);
$FF_rsUser=mysql_query($FF_rsUser_Source, $unp43s) or die(mysql_error
());
$row_FF_rsUser = mysql_fetch_assoc($FF_rsUser);
if(mysql_num_rows($FF_rsUser) > 0) {
// username and password match - this is a valid user
$MM_Username=$FF_valUsername;
session_register("MM_Username");
if ($FF_fldUserAuthorization != "") {
$MM_UserAuthorization=$row_FF_rsUser[$FF_fldUserAuthorization];
} else {
$MM_UserAuthorization="";
}
************************************************************************

*****\THIS PART INCLUDES THE AFFECTED VARIABLES
session_register("MM_UserAuthorization");
if (isset($accessdenied) && false) {
$FF_redirectLoginSuccess = $accessdenied;
}
mysql_free_result($FF_rsUser);
session_register("FF_login_failed");
$FF_login_failed = false;
header ("Location: $FF_redirectLoginSuccess");
exit;
}
mysql_free_result($FF_rsUser);
session_register("FF_login_failed");
$FF_login_failed = true;
header ("Location: $FF_redirectLoginFailed");
exit;
}

?>

\\\\\\\\\\\\\\\\\\\\\\\\\\/::.- Access Restriction system with the XSS

<?php
// *** Restrict Access To Page: Grant or deny access to this page
$FF_authorizedUsers=" xXx";
$FF_authFailedURL="[LOGIN PAGE]";
$FF_grantAccess=0;
session_start();
if (isset($HTTP_SESSION_VARS["MM_Username"])) {
if (true || !(isset($HTTP_SESSION_VARS["MM_UserAuthorization"])) ||
$HTTP_SESSION_VARS["MM_UserAuthorization"]=="" || strpos
($FF_authorizedUsers, $HTTP_SESSION_VARS["MM_UserAuthorization"])) {
$FF_grantAccess = 1;
}
}
if (!$FF_grantAccess) {
$FF_qsChar = "?";
if (strpos($FF_authFailedURL, "?")) $FF_qsChar = "&";
$FF_referrer = $HTTP_SERVER_VARS['PHP_SELF'];
if (isset($HTTP_SERVER_VARS['QUERY_STRING']) && strlen
($HTTP_SERVER_VARS['QUERY_STRING']) > 0) $FF_referrer .= "?" .
$HTTP_SERVER_VARS['QUERY_STRING'];
-----------------------------------------------------------------------
--->
////////////////////////////////////////////////////////////////////////

//////////////////////////// $FF_authFailedURL = $FF_authFailedURL .
$FF_qsChar . "accessdenied=" . urlencode($FF_referrer);//\ ////////////////////////////////////////////////////////////////////////

//////////////////////////\ \ ________________________________________________________________________

________________________________
header("Location: $FF_authFailedURL");
exit;
}
?>
\\\\\\\\\\\\\\\\\\\\\\ now the affected code at access restriction
system

-----------
|solution:|
-----------

Replace :

-----------------------------------------------------------------------
--->
////////////////////////////////////////////////////////////////////////

//////////////////////////// $FF_authFailedURL = $FF_authFailedURL .
$FF_qsChar . "accessdenied=" . urlencode($FF_referrer);//\ ////////////////////////////////////////////////////////////////////////

//////////////////////////\ \ ________________________________________________________________________

________________________________

with:

-----------------------------------------------------------------------
--->
////////////////////////////////////////////////////////////////////////

//////////////////////////// $FF_authFailedURL = $FF_authFailedURL .
$FF_qsChar . "accessdenied=Your attempt was recorded";//\ ////////////////////////////////////////////////////////////////////////

//////////////////////////\ \ ________________________________________________________________________

________________________________

-----------
| CONTACT |
-----------

Lorenzo Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com
security.novappc.com
www.lorenzohgh.com
______________________

[ reply ]