security bug, critical, Improper Access Control

Question

security bug, critical, Improper Access Control

VedranIteh opened this issue 4 years ago · comments

I need someone to confirm this for other systems/configurations.
It might be related to my heavily tweaked installation.

System:
Sentora 1.0.3.1 updated through years all the way from zpanel. PHP7 + snuffleupagus
Centos 6

Short desc:
Sentora user can change other users db users, email passwords etc. from there it is possible to progress to full account and database control.

Vuln desc:
"Email > Mailboxes", "Database > My SQL Users" module pulls user ID from the URL when EDIT button is clicked. supplying/guessing other users ids (id's are incremental not random) you get to change passwords for those users.
Logging into their emails you can easily request a password reset for various services, including sentora itself (if that email is used for access). Mysql module has the same type of vulnerabilty, revealing the db username too. From there it might be easy to crack down on the users web app. The bug is probably in every other edit button in Sentora.

Example:
https://example.com/?module=mysql_users&show=Edit&other=13

Solution:

check for session id coincidence with submitted form id's
check for session id coincidence with requested url id's
randomize user ids, use alphanumeric ids

@MBlagui @TGates71

Duke City Solutions, LLC · Answer 1 · Sat Jan 11 2020 10:05:51 GMT+0800 (China Standard Time)

Hi VedranIteh,
I am the creator of the Sentora v1.0.3.1 PHP 7 upgrade code you are using.

I have checked and confirmed this is possible in the original v1.0.3 as well. This is a critical bug. I will check the other modules ASAP. I will patch my v1.0.3.1 ASAP. Great job finding this BUG

Sentora TEAM please check and confirm. Patch this right away for v1.0.3

@MBlagui @TGates71

VedranIteh · Answer 2 · Sat Jan 11 2020 19:45:53 GMT+0800 (China Standard Time)

@Dukecitysolutions thank you for clearing this up.
What kind of solution did you have in mind ? Need any help ?

@5050

Duke City Solutions, LLC · Answer 3 · Sun Jan 12 2020 05:22:47 GMT+0800 (China Standard Time)

@Dukecitysolutions thank you for clearing this up.
What kind of solution did you have in mind? Need any help?

@5050

Vedranlteh,
Help would be great. I agree with your solutions above.

Verify MySQL user belongs to the logged-in user for EDITS.
Change userid to random 5-10 letters to hide id in URL

I am trying to work on this and find a solution. let me know if you have any ideas.

@MBlagui @TGates71 @5050 your help/input would be great.

TGates · Answer 4 · Thu Dec 08 2022 10:16:39 GMT+0800 (China Standard Time)

Resolved in v2?

Duke City Solutions, LLC · Answer 5 · Sun Dec 31 2023 16:47:27 GMT+0800 (China Standard Time)

Fixed. Closing.