首页 -> 安全研究
安全研究
安全漏洞
Burden /login.php burden_user_rememberme Cookie篡改身份验证绕过漏洞
发布日期:2014-01-14
更新日期:2014-02-03
受影响系统:
Burden Burden <= 1.8描述:
CVE(CAN) ID: CVE-2013-7137
Burden是用PHP编写的任务管理应用。
Burden 1.8.1之前版本中,login.php的"remember me"功能允许远程攻击者将burden_user_rememberme cookie设置为1,这可导致绕过身份验证并获取提升的权限。
<*来源:High-Tech Bridge SA (http://www.htbridge.ch/)
链接:http://osvdb.org/show/osvdb/101456
http://www.exploit-db.com/exploits/30916/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Product: Burden
Vendor: Josh Fradley
Vulnerable Version(s): 1.8 and probably prior
Tested Version: 1.8
Advisory Publication: December 18, 2013 [without technical details]
Vendor Notification: December 18, 2013
Vendor Patch: December 18, 2013
Public Disclosure: January 8, 2014
Vulnerability Type: Improper Authentication [CWE-287]
CVE Reference: CVE-2013-7137
Risk Level: High
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in application authentication mechanism in Burden, which can be exploited by remote non-authenticated attacker to gain administrative access to the vulnerable application.
1) Improper Authentication in Burden: CVE-2013-7137
The vulnerability exists due to insufficient authentication when handling "burden_user_rememberme" cookie parameter. A remote unauthenticated user can set "burden_user_rememberme" cookie to "1" and gain administrative access to the application.
The exploitation example below shows HTTP GET request that grants administrative privileges to the user:
GET /login.php HTTP/1.1
Cookie: burden_user_rememberme=1;
The cookie can be also changed using a browser plugin such as Firebug for FireFox.
-----------------------------------------------------------------------------------------------
Solution:
Update to Burden 1.8.1
More Information:
https://github.com/joshf/Burden/releases/tag/1.8.1
建议:
厂商补丁:
Burden
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
https://github.com/joshf
参考:https://github.com/joshf/Burden/issues/2
浏览次数:2042
严重程度:0(网友投票)
绿盟科技给您安全的保障