During a penetration test, RedTeam Pentesting discovered an Authentication Bypass vulnerability in the Owl Intranet Engine, which allows unauthenticated users administrative access to the affected systems.
Vulnerable Systems:
* Owl Intranet Engine Version 1.00 and prior
Immune Systems:
* Owl Intranet Engine Version 1.01
The Owl Intranet Engine implements an adminstrative interface, allowing users in the "Administrators" group to add and edit users and generally maintain the Owl system. By default, a guest account is activated, that can be used for anonymous read-only access.
Under normal circumstances, no user is allowed access to the system if authentication or authorisation fails. If however the guest account on the system is deactivated (option "Disable User"), it is possible to completely bypass authentication and authorisation and gain access to the admin area.
Calling a web page belonging to the administrative interface first of all checks if a user is authorised to view this page. For this purpose, the function fIsAdmin(true) in lib/owl.lib.php is called. If the return value is "false", the PHP function die() is called, showing a message to the user that he or she is not authorized to view this page.
If the return value is "true" and the guest access is disabled though, the PHP function header() is used to redirect the user to the login page without using die() to prevent the page to be built. If the browser is configured to not follow the redirect, the whole page content is shown to the attacker.
As the Owl Intranet Engine uses the PHP function extract() on the global arrays $_POST and $_GET, it is possible to set the value of the global variable $userid by passing it as a GET variable. Appending the string "?userid=VALUE" to the URL allows to set an arbitrary value for the userid.
The initial "admin" user always has the id "1", so this value can be used to get an administrative user's id. In the fIsAdmin() function, the access rights of the user are checked using the query.
"SELECT userid,groupid from membergroup where userid = '$userid' and groupid = '0'"
The $userid variable now contains the global value "1" set via the GET request, so the query returns "true" and the requested page is loaded in the attacker's browser.
Proof of Concept
A web browser that does not follow redirects is needed, for example Firefox with the NoRedirect extension installed and activated.
The following URL displays the "Users&Groups" tab of the administrative interface:
http://www.example.org/owl/admin/index.php?userid=1
The next URL displays the mask for adding new users to the system:
http://www.example.org/owl/admin/index.php?userid=1&newuser
This URL allows direct editing of the default administrator account:
http://www.example.org/owl/admin/index.php?userid=1&action=edituser&owluser=1
Workaround
A possible workaround would be to add a call to exit() after every header() call used for redirecting. This way, no page content will be displayed. The default value of the variable $userid should also be set to a sane default value after the call to the extract() function on the global $_GET and $_POST arrays.
Fix
Upgrade to version 1.01.
History
2011-05-29 Vulnerability identified
2011-07-26 Customer approved disclosure to vendor
2011-10-31 Vendor notified
2011-11-30 Vendor released fixed version and notifies customer base
2011-12-15 Advisory released
