| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 21 Oct 2005 20:34:23 -0000 From: chburchert@....de To: bugtraq@...urityfocus.com Subject: aRCHILLES Newsworld < 1.5.0-rc1 Multiple Vulnerabilities aRCHILLES Newsworld < 1.5.0-rc1 Multiple Vulnerabilities Software: aRCHILLES Newsworld Vulnerable versions: <= 1.5.0-rc1 Type: Information Disclosure, Login Bypass Risk: Critical Date: 21st October 2005 Vendor: aRCHILLES (http://www.scriptworld.kh-webcenter.de) Credit: ======= These vulnerabilities were found by Christoph 'Chb' Burchert from http://www.incast-security.de/. Description: ============ Newsworld is a simple newssystem with two access-levels and comfortable web-administration interface. It is possible to create password protected users who can post news. Newsworld saves its data in textfiles so no SQL-database is necessary. Vulnerability 1: Information Disclosure ======================================== Vulnerable up to version 1.5.0-rc1. Due to the fact that Newsworld saves the userdata in textfiles it is possible to access this file to gain information about users. The useraccounts are in the account.nwd and have the following format: Until version 1.3.0: 1#admin#098f6bcd4621d373cade4e832627b4f6#admin@...ver.home.net#2#N# UserID#Username#PasswordHash#eMail-address#Privilegies#Banned?# >From version 1.3.0 up to 1.5.0-rc1: 1#admin#098f6bcd4621d373cade4e832627b4f6#webmaster@...ver.home.net#2#N#Y# UserID#Username#PasswordHash#eMail-address#Privilegies#Banned?#Uploadright?# As you can see this information should not be available. With this information you can maybe bypass the login, see Vulnerability 2 for more information concerning this. You find the account.nwd on the following places: 1.0.1: /accound.nwd Since 1.1.0: /data/account.nwd Vulnerability 2: Login Bypass ======================================== Vulnerable up to version 1.3.0. If you gained the userinformation and the version is beneath 1.3.1 you may bypass the login to gain access to the administration interface. But you cannot use the hash of the password for the login panel because the script hashs the input and compares it with the hash in the account.nwd. There is still a way to get into the administration. You can access the admin_news.php with its parameters to get in: http://localhost/newsworld-1.3.0/admin_news.php?action=console&id=<uid>&usr=<username>&pwd=<passwordhash> Vulnerability 3: Login Bypass ======================================== Vulnerable beyond version 1.3.0. >From version 1.3.1 the script uses sessions for the administration panel. But due to the fact that the sessions are also saved in a file called session.nwd. This means you can copy the session id of an user who is currently online. The session.nwd has the following format: 3f3ea289d28b7e3472bdd1cfe5810ea0#1#admin#098f6bcd4621d373cade4e832627b4f6#1129918447 SessionID#UserID#Username#PasswordHash#Timestamp for timelimit So copy the session id and call the script as follows: http://localhost/newsworld-1.3.2/admin_news.php?action=console&PHPSESSID=<sessionid> Then you may be in the administration. Solution for Vulnerability 1: ======================================== Create a .htaccess: "<FilesMatch \account.nwd$> deny from all </FilesMatch>" Solution for Vulnerability 2: ======================================== You could hash the password twice beforce writing into the account.nwd. Then hash it the second time in admin_news.php (the parameter) and check it then. If somebody tries to get in through the parameters it will not work because the hash will be hashed again and then it is not the same as in the account.nwd. Solution for Vulnerability 3: ======================================== Create a .htaccess: "<FilesMatch \session.nwd$> deny from all </FilesMatch>" Greetings: ======================================== Greets fly out to cracki, triple6 and all people from www.incast-security.de.
Powered by blists - more mailing lists