Advisory: Owl Intranet Engine: Authentication Bypass

During a penetration test, RedTeam Pentesting discovered an
Authentication Bypass vulnerability in the Owl Intranet Engine, which
allows unauthenticated users administrative access to the affected
systems.


Details
=======

Product: Owl Intranet Engine
Affected Versions: 1.00, possibly all older versions
Fixed Versions: 1.01
Vulnerability Type: Authentication Bypass
Security Risk: high
Vendor URL: http://owl.anytimecomm.com
Vendor Status: fixed version released
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-005
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction
============

"Owl is a multi user document repository (knowledge base) system written
in PHP for publishing files/documents onto the web for a corporation,
small business, group of people, or just for yourself."

(From the vendor's homepage)


More Details
============

The Owl Intranet Engine implements an adminstrative interface, allowing
users in the "Administrators" group to add and edit users and generally
maintain the Owl system. By default, a guest account is activated, that
can be used for anonymous read-only access.

Under normal circumstances, no user is allowed access to the system if
authentication or authorisation fails.  If however the guest account on
the system is deactivated (option "Disable User"), it is possible to
completely bypass authentication and authorisation and gain access to
the admin area.

Calling a web page belonging to the administrative interface first of
all checks if a user is authorised to view this page.  For this purpose,
the function fIsAdmin(true) in lib/owl.lib.php is called. If the return
value is "false", the PHP function die() is called, showing a message to
the user that he or she is not authorized to view this page.

If the return value is "true" and the guest access is disabled though,
the PHP function header() is used to redirect the user to the login page
without using die() to prevent the page to be built. If the browser is
configured to not follow the redirect, the whole page content is shown
to the attacker. 

As the Owl Intranet Engine uses the PHP function extract() on the global
arrays $_POST and $_GET, it is possible to set the value of the global
variable $userid by passing it as a GET variable.  Appending the string
"?userid=VALUE" to the URL allows to set an arbitrary value for the
userid.

The initial "admin" user always has the id "1", so this value can be
used to get an administrative user's id. In the fIsAdmin() function, the
access rights of the user are checked using the query

"SELECT userid,groupid from membergroup where userid = '$userid' and
groupid = '0'"

The $userid variable now contains the global value "1" set via the GET
request, so the query returns "true" and the requested page is loaded in
the attacker's browser.


Proof of Concept
================

A web browser that does not follow redirects is needed, for example
Firefox with the NoRedirect extension installed and activated.


The following URL displays the "Users&Groups" tab of the administrative
interface:

http://www.example.org/owl/admin/index.php?userid=1


The next URL displays the mask for adding new users to the system:

http://www.example.org/owl/admin/index.php?userid=1&newuser


This URL allows direct editing of the default administrator account:

http://www.example.org/owl/admin/index.php?userid=1&action=edituser&owluser=1


Workaround
==========

A possible workaround would be to add a call to exit() after every
header() call used for redirecting. This way, no page content will be
displayed. The default value of the variable $userid should also be set
to a sane default value after the call to the extract() function on the
global $_GET and $_POST arrays.


Fix
===

Upgrade to version 1.01.


Security Risk
=============

This vulnerability allows unauthenticated and unauthorised users to
access the Owl Intranet Engine with administrative access rights,
allowing them to fully control the affected system.


History
=======

2011-05-29 Vulnerability identified
2011-07-26 Customer approved disclosure to vendor
2011-10-31 Vendor notified
2011-11-30 Vendor released fixed version and notifies customer base
2011-12-15 Advisory released


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
http://www.redteam-pentesting.de.