WDCP (wdlinux Control Panel) mysql/add_user.php, mysql/add_db.php authentication Loss

Directory

1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking

1. Vulnerability description

http://www.wooyun.org/bugs/wooyun-2010-067447

WDCP This control Panel CMS provides a server management function, but the mysql/add_user.php script file does not have the necessary authentication, which makes it accessible to any user.

2. Vulnerability Trigger Condition

Trigger condition is 0, any user can directly access this interface, for account, database add

http://xxxxx:8080/mysql/add_user.php

http://xxxxx:8080/mysql/add_db.php

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2010-067447http://www.wdlinux.cn/wdcp/ Install.html

3. Vulnerability Impact Range

The bug fix scenario is that after Wuyoo reported the vulnerability, the vendor has repaired and released the repaired, Zend Encrypted file, we need to use patch diff compare technology to compare the patch code and the list of vulnerable files, Locate the vulnerable file (because there may be more than one file that is vulnerable) to the source of this vulnerability event

Vul Code

Find/www/wdlinux/wdcp/mysql-type f-print0 | xargs-0 md5sum

Fixed code

Find/zhenghan/vulpoc/wdcp/lanmp/www/wdlinux/wdcp/mysql-type f-print0 | xargs-0 md5sum

By diff, we can find that only 2 of the files in the MD5 value are different, that is, the official code repair of these 2 files

add_user.phpadd_db.php

4. Vulnerability Code Analysis

0x1:php Zendoptimizer

PHP Zendoptimizer is a code precompilation implementation module based on Zend, which pre-compiles the code into a zendoptimizer-understandable intermediate language, uses space for time, and even under Zendoptimizer optimization, Does not require additional disk space usage, the idea of precomputed can significantly improve the speed of PHP applications

Relevant Link:

http://www.zend.com/topics/Zend-Optimizer-User-Guide-v330-new.pdfhttp://  www.ibm.com/developerworks/cn/opensource/os-php-zend1/http://baike.baidu.com/view/772047.htm http://kb.zend.com/how-to-install-zend-optimizer-manually/http://  Www.zend.com/en/products/guard/downloads#Windowshttp://kb.zend.com/ how-to-install-zend-optimizer-manually/#. VFIS2VMUEKQ

0x2:code Vul Analysis

The code to be audited has been zend encrypted, can be decrypted using DeZender.exe, then have time to study the principle of PHP zendoptimizer dynamic plus decryption, and the implementation principle of Dezender based on PHP extension

<?require_once".. /inc/common.inc.php"; if(Isset ($_post['Submit_add']) {$user=chop ($_post['User']); $password=chop ($_post['Password']); $dbname=chop ($_post['dbname']);        Check_user ($user);        Check_string ($password);        Check_string ($dbname); //There 's no authentication done here, it's a direct high-risk operation.Create_db_user ($user, $password, $host);        Grant_db_user ($user, $host, $dbname);        Mysql_add_user ($user, $password, $host, $dbname, $rtime); Optlog ($wdcdn _uid,"add MySQL database $user",0,0); Str_go_url ("database user added success!",0); } $member _list=member_list (); $site _list=site_list (); $db _list=db_list (); Require_once (g_t ("mysql/add_user.htm"));?>

5. Defense Methods

The authorities have given the repair plan.

Relevant Link:

http://www.wdlinux.cn/bbs/thread-37476-1-1.html

6. Defensive Thinking

1 authentication, permission authorization is the boundary security of Web application system, the best security practice should be strict authentication at the entry point of Web application, and should not put the authentication in sub-files of each business function, it is unreasonable 2. In the site's routing entry point to make a mandatory routing jump, identity authentication, through the session to maintain the current authentication status, and on all sub-pages are deployed lightweight authentication session detection, if the test result is " not logged in " , the direct force jumps to the only central authentication routing page 3. Through this centralized defense approach, you can solve the missing phenomenon caused by the separate deployment of authentication code in the sub-page.

Copyright (c) Littlehann All rights reserved

WDCP (wdlinux Control Panel) mysql/add_user.php, mysql/add_db.php authentication Loss