| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Nov 2011 23:10:22 +0000 From: Darren McDonald <athena@...donald.net> To: full-disclosure@...ts.grok.org.uk Subject: Pro Clan Manager 0.4.2 – Multiple Vulnerabilities Pro Clan Manager, Multiple Vulnerabilities =============== Document Details =============== Version 1.0, 2011-11-19 =============== Background =============== "The aim of Pro Clan Manager is to create an international content management system dedicated to helping Clans or Guilds work together and have a good looking website that is W3C valid." [1] Both of the listed issues can allow unauthenticated users with zero knowledge to gain administrative access to the application. This includes permissions to upload arbitrary files such as PHP scripts. =============== Versions =============== Version 1.4.2 was tested, the author has decided to officially discontinue the project in response to these issues. Users should uninstall the software as soon as possible, before finding a replacement. =============== Finding 1 - SQL Injection =============== Description The application performs input validation using the $post->Text method throughout the application on strings to be used in dynamic query construction. These fields do not appear to be vulnerable to SQL Injection. However the $post->LoginFilter uses eregi to ensure non-alphanumeric characters are not present in the login field. eregi expects a c-style null terminated string, and will not proceed beyond the first null byte it encounters. By prefixing a SQL injection attack string with a null byte this filtering can be bypassed. The following attack string can be used in the login field to access the system as the administrator. notarealuser%00'+union+select+1;# This needs to be enter as raw HTTP. =============== Finding 2 - Poor Random Password Generation =============== Description Line 302 in includes/user.php generates passwords for new users and users which have their passwords reset by an administrator. $password = substr(md5(rand(10000,99999)), 5, 8); While the passwords generated by this code appear random, it's fairly obvious from the snippet above that this code is only capable of generating a maximum of 90,000 unique passwords. A list of these passwords can be easily constructed, which when used during an automated attack took around 15 minutes on average to successfully guess a random password. A complete list of passwords can be obtained from the following URL, http://dmcdonald.net/pcm-passgen.php. =============== References =============== [1] Pro Clan Manager Source Forge Page, http://sourceforge.net/projects/autoweb/, Accessed 2011-11-19 =============== Links =============== http://dmcdonald.net/?page_id=51 - The latest version of this advisory http://dmcdonald.net/pcm-passgen.php - A script to generate a complete list of possible random passwords http://dmcdonald.net/pcm-passgen.txt - The source code for pcm-passgen.php http://www.proclanmanager.com - The Pro Clan Manager website ----- Renski aka Darren McDonald http://dmcdonald.net M6LUL _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists