-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ppp-design found the following design error in phpsquidpass: Details - ------- Product: phpsquidpass Affected Version: 0.11 and maybe all versions before Immune Version: 0.2 OS affected: all OS with php Vendor-URL: http://sourceforge.net/projects/phpsquidpass Vendor-Status: informed, new version available Security-Risk: low Remote-Exploit: Yes Introduction - ------------ phpsquidpass is a php frontend for squid users to change their passwords. Unfortunately the software suffers of an design error which can lead to overwriting existing users. More details - ------------ The problem is the wrong use of the php function ereg. While searching for the username the regular expression used is "$username:". This leads to finding all usernames that end in $username. Proof-of-concept - ---------------- $ cat /etc/squid/conf/proxy_users otheruser:abcabcabcabc user:u2rsop.rgGdMQ Password for otheruser is unknown, password for user is "pppdesign". Now use phpsquidpass: Log in with username "user", old password "pppdesign", new password "anything". $ cat /etc/squid/conf/proxy_users user:qOeMIgXWkhxD. user:S6UsDZDEwc1aY The username "otheruser" is replaced with "user", the password is "anything" for both lines. This will work everytime the short username is tail of the long one and the long one is placed before the shorter username. Temporary-fix - ------------- Replace the regular expressions: 54c54 < if (!ereg("$username:.",$password_file)) { > if (!ereg("(^$username:.|\n$username:.)",$password_file)) { 63c63 < if (ereg("$username:.",$line)) { > if (ereg("(^$username:.|\n$username:.)",$line)) { 115c115 < if (ereg("$username:.",$password_file[$x])) { > if (ereg("^($username:.)",$password_file[$x])) { Fix - --- Use at least phpsquidpass v0.2, which fixes the bug nearly the same way the temporary fix does. Security-Risk - ------------- Only valid users can make use of this bug and it is quite easy to see who has overwritten an other user because his username is appearing twice in the password file. This is why we rate the risk of this bug to low. Vendor status - ------------- The author reacted very fast within 6 hours and published a new version, that fixes the vulnerability. Disclaimer - ---------- All information that can be found in this advisory is believed to be true, but maybe it isn't. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) is mentioned. This advisory can be found online: http://www.ppp-design.de/advisories.php - -- ppp-design http://www.ppp-design.de Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE9Fe47DXh7YLO1RRoRAtKOAJ9dLTxr+jsiCSxYBoiAHhSDqRNCAwCg+by4 078O8P+OrkFBPh+WwzTsA54= =ffLc -----END PGP SIGNATURE-----
