Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

PHP Stat Administrative User Authentication Bypass

from [SoulBlack Group] Network Security [Permanent Link]
Subject: PHP Stat Administrative User Authentication Bypass
Date: Fri, 27 May 2005 01:45:03 -0300 
===========================================================

============================================================
Title: PHP Stat
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 25/05/2005
Severity: Medium. PHP Stat Administrative User Authentication Bypass
Affected version: unkown
vendor: http://phpstat.sourceforge.net/journal/
============================================================

============================================================

* Summary *

PhpStat is a set of PHP scripts that can analyze, sort, and generate
statistics on IM
log files from different clients and store the data in a database. It
also allows for
users to read their own logs.

-------------------------------------------------------------

* Problem Description *

The bug reside in $check var in setup.php.

Vulnerable Code

include("config.php");
include("$path_data/setup.php");
$check = $_REQUEST['check'];
$pass = $_REQUEST['pass'];
$user = $_REQUEST['user'];
if ($check == "admin" && $pass == $password && $user == $username) {
showsetup();
} elseif (($check == "admin") && ($pass != $password || $user != $username)) {
adminerror();
} elseif ($check == "yes") {
write($_REQUEST);
} else {
admin();


/*

when it sends a "yes" in setup.php this call to the function "write()"

*/

function write($_REQUEST) {
include("config.php");
 .
 .
 .
 .
 $admin = strtolower($_REQUEST['admin']);
 $username = strtolower($_REQUEST['username']);
 $password = strtolower($_REQUEST['password']);
 $fp = fopen("$path_data/setup.php", "wb") or die ("The File
\"$path_data/setup.php\" does not exist");
 flock( $fp, 2);
 fputs ($fp, "<?php\n\$show = \"$show\";\n\$refshow =
\"$refshow\";\n\$ldec = \"$ldec\";\n\$lcolor = \"$lcolor\";\n\$hcolor
= \"$hcolor\";\n\$font_family = \"$font_family\";\n\$font_size =
\"$font_size\";\n\$color = \"$color\";\n\$font_style =
\"$font_style\";\n\$font_weight = \"$font_weight\";\n\$letter_spacing
= \"$letter_spacing\";\n\$admin = \"$admin\";\n\$username =
\"$username\";\n\$password = \"$password\";\n?>");
 flock( $fp, 1);
 fclose ($fp);


where we you see

 setup.php?check=yes&username=admin&password=admin


-------------------------------------------------------------

* POC *

http://www.soulblack.com.ar/repo/tools/sbphpstatpoc.txt

-------------------------------------------------------------

* Fix *

  Use .htaccess or contact Vendor.

-------------------------------------------------------------

* References *

http://www.soulblack.com.ar/repo/papers/advisory/PhpStat_advisory.txt

-------------------------------------------------------------

* Credits *

Vulnerability reported by SoulBlack Security Research

============================================================

--
SoulBlack - Security Research
http://www.soulblack.com.ar
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • PHP Stat Administrative User Authentication Bypass, SoulBlack Group <=
Previous by Date:  Re: [Full-disclosure] Not even the NSA can get it right, James Tucker
Next by Date:  Re: [Full-disclosure] Bank of America SiteKeys ineffective?, Mike N
Previous by Thread:  [Full-disclosure] [USN-136-2] Fixed packages for USN-136-1, Martin Pitt
Next by Thread:  [Full-disclosure] [SECURITY] [DSA 730-1] New bzip2 packages fix file unauthorised permissions modification, Martin Schulze
Indexes:  [Date] [Thread] [Top] [All Lists]