[VIM] uncertain: FCMS (Family Connections) code execution

George A. Theall theall at tenablesecurity.com
Wed Aug 15 11:42:16 UTC 2007 

On 08/14/07 19:30, Steven M. Christey wrote:

> There's a dispute here:
> 
>   http://www.securityfocus.com/archive/1/archive/1/476293/100/0/threaded
> 
> that points to an "original exploit" for an entirely different product
> at http://www.milw0rm.com/exploits/4145, so maybe the dispute is about
> copying someone else's exploit without credit.

I think so. Plus, as hawkgotyou noted, the PoC doesn't work.

> Looking at the source code for index.php in version 0.6, we have:
> 
> 	if (isset($_COOKIE['fcms_login_id'])) {
> 		$_SESSION['login_id'] = $_COOKIE['fcms_login_id'];
> 	}
> 
> but, except for a mysql_query() that might have an SQL injection, the
> code only does a meta-refresh to home.php.

I agree - the SQL injection looks valid to me. Probably exists in other 
places too.

> There isn't any other code in index.php; the rest are function
> definitions.
> 
> Now, I don't know how PHP saves and passes session information back to
> the user across requests, but maybe this meta-refresh is enough for
> deeper access?

What's happening is that there's a session created at the start of 
index.php. If I'm understanding the code correctly, that will be empty, 
at least for normal users, unless you authenticate. You'll still get a 
cookie, though, that can be used to track your visits.

If you do authenticate successfully, the login_id session variable will 
hold the value of your id, as obtained from the database, and it looks 
like you can get another cookie, fcms_login_id, if you select the 
"Remember me" checkbox when logging in.

The problem is that you can bypass authentication as ilkerkandemir notes 
simply by setting the fcms_login_id cookie to an id of interest. The 
code in that case updates the login_id session variable and you will be 
logged in as long as you include the session identifying cookie in 
subsequent requests.

That said, you shouldn't even need to worry about the session cookie in 
subsequent requests -- just pass in the fcms_login_id cookie as scripts 
like home.php treat it as equivalent to the login_id session variable.

And finally, the PoC looks bogus to me since I don't see any use of 
'content' as passed in remotely in index.php.

George
-- 
theall at tenablesecurity.com

More information about the VIM mailing list