lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20061204095704.30487.qmail@securityfocus.com>
Date: 4 Dec 2006 09:57:04 -0000
From: nj@...kerz.ir
To: bugtraq@...urityfocus.com
Subject: Multiple bugs in TFT-Gallery


Script Name: TFT-Gallery
Authors: Mike Scalora, Eric Thelin, Sascha Lorenz & Jan Berndt
Website: http://tftgallery.sourceforge.net
Bug Report: NetJackal (nj[AT]hackerz[DOT]ir & nima_501[AT]yahoo[DOT]com)
Status: Patch not released

First i should apologize for my bad english.

Intro:
	TFT-Gallery is a PHP-based Web image gallery & does n't require databse.
	
Bugs Description:
First bug)
	Look at admin`s index page(/admin/index.php)

	if(file_exists("passwd")) {
			$fd = fopen("passwd", "r");
			$givenpw = fgets($fd,15);
			fclose($fd);
			if(isset($_REQUEST['password']) and
				isset($_REQUEST['username']) and
					$_REQUEST['username']=='admin' and
						crypt($_REQUEST['password'], "tftgallery") == $givenpw) {
				$_SESSION['admin']=true;
			} else {
				include_once "login_form.inc";
				exit;
			}
		}

	TFT-Gallery stores admin's password in "passwd" file at admin folder, so everyone has access
to it by going to:
											http://victim/admin/passwd
TIP: Password hashed by DES algorithm.
TIP: Username is "admin".
Second Bug)
	TFT-Gallery doesn't check file extension so if somebody who has gain access by First bug can 
upload any file extension (ex. evil.php).

Solution:
	Edit code and store passwd some where else (out of wwwroot).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ