| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Nov 2003 18:49:57 +0300
From: r00t@...eam.ru
To: bugtraq@...urityfocus.com
Subject: PHP-Coolfile version 1.4 unauthorized access
/************************************
**---------------------------------**
** RusH security team advisory **
**---------------------------------**
** www.rsteam.ru **
** http://rst.void.ru **
************************************/
/***********************************/
Product: PHP-Coolfile
Version: 1.4
Vuln: unauthorized access
OffSite: http://dcom.bip.ru/coolfile/
/***********************************/
Date: 11/11/2003
Author: 1dt.w0lf // RsT
/***********************************/
Problem:
========
Bug found in action.php file (string 96):
[scip]
if (@$action == "edit") { edit_file($file, $basename, @$filename); }
if (@$action == "copy") { [scip] }
if (@$action == "print_chmod") { [scip] }
elseif ((@md5($uin) != session_id()) | (!@...n)) { print "Access denied!"; } # 96 string
[scip]
last string (96) don't work if $action="copy" or any other...
Overview:
=========
Any can view config.php file and get administration login and password
Example:
www.site.com/php-coolfile/action.php?action=edit&file=config.php
Solution:
=========
1. Delete 96 string.
2. copy this code in 23 string of action.php file
if ((@md5($uin) != session_id()) OR (!@...n)) { print "Access denied!"; exit; }
/***********************************/
U can view RU version of this text
on our site http://www.rsteam.ru
/***********************************/
Contacts:
1dt.w0lf - idtwolf@...em.net
RusH team - r00t@...eam.ru
/***********************************/
Powered by blists - more mailing lists