lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 26 Aug 2003 17:08:43 +0200
From: "Frog Man" <leseulfrog@...mail.com>
To: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org
Subject: [PHP] AttilaPHP 3.0 : User/Admin Access


Informations :
°°°°°°°°°°°°°
Language : PHP
Version : 3.0 (and less ?)
Website : http://www.attila-php.net
Problem : User/Admin Access


PHP Code/Location :
°°°°°°°°°°°°°°°°°°°

www/global.php3 :

---------------------------------------------------------------------------------------------------------------------------
function get_identity()
{
global $cook_id, $TABLE_CURRENT_VISITS,$base;
$table=$TABLE_CURRENT_VISITS;

connect_db();

if (!$cook_id) { /** no cookie set? Visitor! **/

	add_log("visit",14);
	$query="SELECT * FROM $table Where visiteur=14";
	$resu2=mysql_db_query($base,$query);
	if (mysql_fetch_row($resu2)==0)
		{
		$query="INSERT INTO $table (id,visiteur) VALUES ('0','14')"; /** If no 
entry for visitor, insert one **/
		$resu=mysql_db_query($base,$query);
		}

	$query="SELECT * FROM $table Where visiteur=14";
	$resu=mysql_db_query($base,$query);
	$row=mysql_fetch_array($resu);
	$valid=$row["ID"];
	setcookie("cook_id",$valid);
	return(14); exit;

	}


$query="SELECT * FROM $table Where ID=$cook_id";
$resu=mysql_db_query($base,$query);
$row=mysql_fetch_array($resu);
$visiteur=$row["visiteur"];
return($visiteur);

}
---------------------------------------------------------------------------------------------------------------------------


/user.php3, www/user_action.php3 :

-------------------------------------------------------------------------
$identite=get_identity();
if ($identite==14) {header("Location: http://$weburl/index.php3"); exit;}
-------------------------------------------------------------------------


www/god_action.php3,www/god.php3 :

--------------------------------------------------------------
$identite=get_identity();
if ($identite!=1) {header("Location: http://$weburl"); exit; }
--------------------------------------------------------------


Exploit :
°°°°°°°

Set cookie named "cook_id" with the value "0 OR visiteur=1" on 
http://[target]/index.php3 (or any other pages).


Patch :
°°°°°°°
A patch and more details can be found on http://www.phpsecure.info.

In www/global.php3, replace the line :
------------------------------------------------
$query="SELECT * FROM $table Where ID=$cook_id";
------------------------------------------------

by the lines :

--------------------------------------------------
$cook_id = addslashes($cook_id);
$query="SELECT * FROM $table Where ID='$cook_id'";
--------------------------------------------------





frog-m@n

_________________________________________________________________
Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ