Advisory: Owl Intranet Engine: Authentication Bypass During a penetration test, RedTeam Pentesting discovered an Authentication Bypass vulnerability in the Owl Intranet Engine, which allows unauthenticated users administrative access to the affected systems. ### Details - Product: Owl Intranet Engine - Affected Versions: 1.00, possibly all older versions - Fixed Versions: 1.01 - Vulnerability Type: Authentication Bypass - Security Risk: high - Vendor URL: `http://owl.anytimecomm.com` - Vendor Status: fixed version released - Advisory URL: `https://www.redteam-pentesting.de/advisories/rt-sa-2011-005` - Advisory Status: published - CVE: GENERIC-MAP-NOMATCH - CVE URL: `https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH` ### Introduction "Owl is a multi user document repository (knowledge base) system written in PHP for publishing files/documents onto the web for a corporation, small business, group of people, or just for yourself." (From the vendor's homepage) ### More Details The Owl Intranet Engine implements an adminstrative interface, allowing users in the "Administrators" group to add and edit users and generally maintain the Owl system. By default, a guest account is activated, that can be used for anonymous read-only access. Under normal circumstances, no user is allowed access to the system if authentication or authorisation fails. If however the guest account on the system is deactivated (option "Disable User"), it is possible to completely bypass authentication and authorisation and gain access to the admin area. Calling a web page belonging to the administrative interface first of all checks if a user is authorised to view this page. For this purpose, the function fIsAdmin(true) in lib/owl.lib.php is called. If the return value is "false", the PHP function die() is called, showing a message to the user that he or she is not authorized to view this page. If the return value is "true" and the guest access is disabled though, the PHP function header() is used to redirect the user to the login page without using die() to prevent the page to be built. If the browser is configured to not follow the redirect, the whole page content is shown to the attacker. As the Owl Intranet Engine uses the PHP function extract() on the global arrays \$\_POST and \$\_GET, it is possible to set the value of the global variable \$userid by passing it as a GET variable. Appending the string "?userid=VALUE" to the URL allows to set an arbitrary value for the userid. The initial "admin" user always has the id "1", so this value can be used to get an administrative user's id. In the fIsAdmin() function, the access rights of the user are checked using the query ``` SELECT userid,groupid from membergroup where userid = '$userid' and groupid = '0' ``` The \$userid variable now contains the global value "1" set via the GET request, so the query returns "true" and the requested page is loaded in the attacker's browser. ### Proof of Concept A web browser that does not follow redirects is needed, for example Firefox with the NoRedirect extension installed and activated. The following URL displays the "Users&Groups" tab of the administrative interface: `http://www.example.org/owl/admin/index.php?userid=1` The next URL displays the mask for adding new users to the system: `http://www.example.org/owl/admin/index.php?userid=1&newuser` This URL allows direct editing of the default administrator account: `http://www.example.org/owl/admin/index.php?userid=1&action=edituser&owluser=1` ### Workaround A possible workaround would be to add a call to exit() after every header() call used for redirecting. This way, no page content will be displayed. The default value of the variable \$userid should also be set to a sane default value after the call to the extract() function on the global \$\_GET and \$\_POST arrays. ### Fix Upgrade to version 1.01. ### Security Risk This vulnerability allows unauthenticated and unauthorised users to access the Owl Intranet Engine with administrative access rights, allowing them to fully control the affected system. ### History - 2011-05-29 Vulnerability identified - 2011-07-26 Customer approved disclosure to vendor - 2011-10-31 Vendor notified - 2011-11-30 Vendor released fixed version and notifies customer base - 2011-12-15 Advisory released ### RedTeam Pentesting GmbH RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at .