Bug #35023 I can edit anyones profile
Submitted: 4 Mar 2008 4:28 Modified: 10 Mar 2008 23:36
Reporter: Diego Medina Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Websites: MySQLForge Severity:S1 (Critical)
Version:forge1.mysql.com OS:Any
Assigned to: CPU Architecture:Any
Tags: login

[4 Mar 2008 4:28] Diego Medina
Description:
This one I think is really critical.

I can edit my cookie and become anyone else in the forge, I only need to know the user id (the number, not email address).

How to repeat:
It is easy using firefox and the web developer plugin

url for the plugin https://addons.mozilla.org/en-US/firefox/addon/60
but any other way of editing cookies would work.

1- Log in as normal.
2- right click the forge page and select "Web Developer -> Cookies -> view cookie information
3- On the new window, click on Edit next to the cookie under the name of "FORGSESS"

4- the value looks kind of complicated by using any url decoder and then an html decoder, gives you pretty much this:

a:4:
{
s:7:"user_id";
s:4:"1044";
s:15:"persist_session";
s:1:"0";
s:12:"display_name";
s:6:"diego2";
s:9:"__version";
i:4;
}

5- change the number 1044 (this is my user id) for some other number,  and also change the 4 that is right after the s: to the length of your new userid number

6- go to the forge page now and click on Edit profile
7- there you are, someone else's profile

PS you can get any profile id from here http://forge1.mysql.com/people/search.php

Suggested fix:
I would actually really like to know how you guys will fix this one as I do not see an easy way that would make it secure.
[5 Mar 2008 6:05] Giuseppe Maxia
Diego,
Thanks for this analysis.
We are aware of the problem. The cookie is not encrypted, due to a bug in the library we are using for this purpose. Jay will find an alternative.

Encrypting the cookie is encrypted will fix the vulnerability.
[9 Mar 2008 2:46] Diego Medina
Hi Giuseppe,

Out of curiosity, would the encryption be the same kind that is now present on the forge.mysql.com site?
[10 Mar 2008 13:11] Jay Pipes
Hi Diego!

It is similar, but not the same.  The problem with the new Forge1.mysql.com server is a bug in Ubuntu's libmcrypt and php.  You can see the bug here on Launchpad:

https://bugs.launchpad.net/ubuntu/+source/php-mcrypt/+bug/130181

I'm working on a workaround for this.

Thanks,

Jay
[10 Mar 2008 23:36] Jay Pipes
The cryptography function have been rewritten to use PEAR::Crypt_Blowfish, which apparently does not suffer from the hanging bug on Ubuntu servers.

Cookie session information is now completely encrypted.  The cookie version has been incremented so next time anyone accesses the site, they will immediately be logged out and their session destroyed so that a new encrypted session can be made.

FIXED in r446-450